Zero-Knowledge Proofs for Set Membership: E cient, Succinct, … · 2020. 5. 6. · Zero-Knowledge Proofs for Set Membership: E cient, Succinct, Modular Daniel Benarroch1, Matteo

Zero-Knowledge Proofs for Set Membership:Efficient, Succinct, Modular?

Daniel Benarroch1, Matteo Campanelli2, Dario Fiore2, Kobi Gurkan4,5, and DimitrisKolonelos2,3

1 QEDIT, Israel2 IMDEA Software Institute, Madrid, Spain3 Universidad Politecnica de Madrid, Spain

4 Ethereum Foundation5 cLabs

Abstract. We consider the problem of proving in zero knowledge that an element of a public setsatisfies a given property without disclosing the element, i.e., for some u, “u ∈ S and P (u) holds”. Thisproblem arises in many applications (anonymous cryptocurrencies, credentials or whitelists) where, forprivacy or anonymity reasons, it is crucial to hide certain data while ensuring properties of such data.

We design new modular and efficient constructions for this problem through new commit-and-provezero-knowledge systems for set membership, i.e. schemes proving u ∈ S for a value u that is in a publiccommitment cu. We also extend our results to support non-membership proofs, i.e. proving u /∈ S.

Being commit-and-prove, our solutions can act as plug-and-play modules in statements of the form“u ∈ S and P (u) holds” by combining our set (non-)membership systems with any other commit-and-prove scheme for P (u). Also, they work with Pedersen commitments over prime order groups whichmakes them compatible with popular systems such as Bulletproofs or Groth16.

We implemented our schemes as a software library, and tested experimentally their performance. Com-pared to previous work that achieves similar properties—the clever techniques combining zkSNARKsand Merkle Trees in Zcash—our solutions offer more flexibility, shorter public parameters and 3.7×–30×faster proving time for a set of size 264.

1 Introduction

The problem of proving set membership—that a given element x belongs to some set S—arises inmany applications, including governmental white-lists to prevent terrorism or money-laundering,voting and anonymous credentials, among others. More recently, this problem also appears at theheart of currency transfer and identity systems over blockchains. In this setting, parties can firstpublicly commit to sets of data (through the blockchain itself) and then, by proving set membership,can claim ownership of assets or existence of identity attributes, while ensuring privacy.

A naive approach to check if an element is in a set is to go through all its entries. The complexityof this approach, however, is unacceptable in many scenarios. This is especially true for blockchains,where most of the parties (the verifiers) should run quickly.

How to efficiently verify set membership then? Cryptographic accumulators [Bd94] provide anice solution to this problem. They allow a set of elements to be compressed into a short value (theaccumulator) and to generate membership proofs that are short and fast to verify. As a securityguarantee they require it should be computationally infeasible to generate a false membership proof.

As of today, we can divide constructions for accumulators into three main categories: MerkleTrees [Mer88]; RSA-based [BP97, CL02, LLX07, BBF18a]; pairing-based [Ngu05, DT08, CKS09,

? An extended abstract of the paper appeared at Financial Cryptography and Data Security 2021.

ZKP17]. Approaches based on Merkle Trees1 allow for short (i.e., O(1)) public parameters andaccumulator values, whereas the witness for membership proofs is of size log(n), where n is thesize of the set. In RSA-based constructions (which can be actually generalized to any group ofunknown order [Lip12], including class groups) both the accumulator and the witness are each asingle element in a relatively large hidden-order group G,2 and thus of constant-size. Schemes thatuse pairings in elliptic curves such as [Ngu05, CKS09] offer small accumulators and small witnesses(which can each be a single element of a prime order bilinear group, e.g., 256 bits) but require largeparameters (approximately O(n)) and a trusted setup.

In anonymous cryptocurrencies, e.g. Zerocash [BCG+14] (but also in other applications suchas Anonymous Credentials [Cha85] and whitelists), we also require privacy. That is, parties in thesystem would not want to disclose which element in the set is being used to prove membership.Phrased differently, one desires to prove that u ∈ S without revealing u, or: the proof should bezero-knowledge [GMR89] for u. As an example, in Zerocash users want to prove that a coin exists(i.e. belongs to the set of previously sent coins) without revealing which coin it is that they arespending.

In practice it is common that this privacy requirement goes beyond proving membership. Infact, these applications often require proving further properties about the accumulated elements,e.g., that for some element u in the set, property P (u) holds. And this without leaking any moreinformation about u other than what is entailed by P . In other words, we desire zero-knowledgefor the statement R∗(S, u) := “u ∈ S and P (u)”.

One way to solve the problem, as done in Zerocash, is to directly apply general-purpose zero-knowledge proofs for R∗, e.g., [PHGR13, Gro16]. This approach, however, tends to be expensiveand ad-hoc. One of the questions we aim to tackle is that of providing a more efficient proof systemsfor set membership relations, that can also be modular.

Specifically, as observed in [CFQ19], the design of practical proof systems can benefit froma more modular vision. A modular framework such as the one in [CFQ19] not only allows forseparation of concerns, but also increases reusability and compatibility in a plug-and-play fashion:the same proof system is designed once and can be reused for the same sub-problem regardless ofthe context3; it can be replaced with a component for the same sub-problem at any time. Also,as [CFQ19] shows, this can have a positive impact on efficiency since designing a special-purposeproof system for a specific relation can lead to significant optimizations. Finally, this compositionalapproach can also be leveraged to build general-purpose proof systems.

In this work we focus on applying this modular vision to designing succinct zero-knowledgeproofs for set membership. Following the abstract framework in [CFQ19] we investigate how toapply commit-and-prove techniques [CLOS02] to our setting. Our approach uses commitmentsfor composability as follows. Consider an efficient zero-knowledge proof system Π for propertyP (u). Let us also assume it is commit-and-prove, i.e. the verifier can test P (u) by simply holding acommitment c(u) to u. Such Π could be for example a commit-and-prove NIZK such as Bulletproofs[BBB+18] or a commit-and-prove zkSNARK such as LegoGroth16 from [CFQ19] that are able tooperate on Pedersen commitments c(·) over elliptic curves. In order to obtain a proof gadget for set

1 We can include under this class currently known lattice-based accumulators such as [PSTY13, LLNW16].2 The group G is typically Z∗N where N is an RSA modulus. The size of an element in this group for a standard

128-bit security parameter is of 3072 bits.3 For instance, one can plug a proof system for matrix product C = A · B in any larger context of computation

involving matrix multiplication. This regardless of whether, say, we then hash C or if A,B are in turn the outputof a different computation

2

membership, all one needs to design is a commit-and-prove scheme for the relations “u ∈ S” whereboth u and S are committed: u through c(u) and S through some other commitment for sets, suchas an accumulator.

Our main contribution is to propose a formalization of this approach and new constructions ofsuccinct zero-knowledge commit-and-prove systems for set membership. In addition, as we detaillater, we also extend our results to capture proofs of non-membership, i.e., to show that u /∈ S. Forour constructions we focus on designing schemes where c(u) is a Pedersen commitment in a primeorder group Gq. We focus on linking through Pedersen commitments as these can be (re)used insome of the best state-of-the-art zero-knowledge proof systems for general-purpose relations thatoffer for example the shortest proofs and verification time (see, e.g.,[Gro16] and its efficient commit-and-prove variant [CFQ19]), or transparent setup and logarithmic-size proofs [BBB+18].

Before describing our results in more detail, we review existing solutions and approaches torealize commit-and-prove zkSNARKs for set membership.

Existing Approaches for Proving Set Membership for Pedersen Commitments. Theaccumulator of Nguyen [Ngu05], by the simple fact of having a succinct pairing-based verificationequation, can be combined with standard zero-knowledge proof techniques (e.g., Sigma protocols orthe celebrated Groth-Sahai proofs [GS08]) to achieve a succinct system with reasonable proving andverification time. The main drawbacks of using [Ngu05], however, are the large public parameters(i.e. requiring as many prime group elements as the elements in the set) and a high cost for updatingthe accumulator to the set, in order to add or remove elements (essentially requiring to recomputethe accumulator from scratch).

By using general-purpose zkSNARKs one can obtain a solution with constant-size proofs basedon Merkle Trees: prove that there exists a valid path which connects a given leaf to the root; thisrequires proving correctness of about log n hash function computations (e.g., SHA256). This solutionyields a constant-size proof and requires log n-size public parameters if one uses preprocessingzkSNARKs such as [PHGR13, Gro16]. On the other hand, often when proving a relation such asR∗(S, u) := “u ∈ S and P (u)” the bulk of the work stems from the set membership proof. This isthe case in Zcash or Filecoin4 where the predicate P (·) is sufficiently small.

Finally, another solution that admits constant-size public parameters and proofs is the protocolof [CL02]. Specifically, Camenisch and Lysyanskaya showed how to prove in zero-knowledge thatan element u committed in a Pedersen commitment over a prime order group Gq is a member of anRSA accumulator. In principle this solution would fit the criteria of the gadget we are looking for.Nonetheless, its concrete instantiations show a few limitations in terms of efficiency and flexibility.The main problem is that, for its security to hold, we need a prime order group (the commitmentspace) and the primes (the message space) to be quite large, for example5 q > 2519. But havingsuch a large prime order group may be undesirable in practice for efficiency reasons. In fact thegroup Gq is the one that is used to instantiate more proof systems that need to interact and belinked with the Pedersen commitment.

4 https://filecoin.io5 More specifically: the elements of a set need to be prime numbers in a range (A,B) such that q/2 > A2 − 1 >B · 22λst+2. If aiming at 128 bits of security level one can meet this constraint by choosing for example A = 2259,B = 2260 and q > 2519.

3

https://filecoin.io

1.1 Our Contributions

We investigate the problem of designing commit-and-prove zero-knowledge systems for set mem-bership and non-membership that can be used in a modular way and efficiently composed withother zero-knowledge proof systems for potentially arbitrary relations. Our main results are thefollowing.

First, building upon the view of recent works on composable proofs [AGM18, CFQ19], we definea formal framework for commit-and-prove zkSNARKs (CP-SNARKs) for set (non-)membership.The main application of this framework is a compiler that, given a CP-SNARK CPmem for setmembership and any other CP-SNARK CPR for a relation R, yields a CP-SNARK CP for thecomposed relation “u ∈ S ∧ ∃ω : R(u, ω)”. As a further technical contribution, our frameworkextends the one in [CFQ19] in order to work with commitments from multiple schemes (includingset commitments, e.g., accumulators).

Second, we propose new efficient constructions of CP-SNARKs for set membership and non-membership, in which elements of the accumulated set can be committed with a Pedersen com-mitment in a prime order group Gq—a setting that, as argued before, is of practical relevance dueto the widespread use of these commitments and of proof systems that operate on them. In moredetail, we propose: four schemes (two for set membership and two for non-membership) that enjoyconstant-size public parameters and are based on RSA accumulators for committing to sets, and ascheme over pairings that has public parameters linear in the size of the set, but where the set canremain hidden.

Finally, we implement our solutions in a software library and experimentally evaluate theirperformance.

Like the recent works [AGM18] and [CFQ19], our work can be seen as showing yet anothersetting—set membership— where the efficiency of SNARKs can benefit from a modular design.

RSA-based constructions. Our first scheme, a CP-SNARK for set membership based on RSAaccumulators, supports a large domain for the set of accumulated elements, represented by binarystrings of a given length η. Our second scheme, also based on RSA accumulators, supports elementsthat are prime numbers of exactly µ bits (for a given µ). Neither scheme requires an a-priori boundon the cardinality of the set. Both schemes improve the proof-of-knowledge protocol by Camenischand Lysyanskaya [CL02]: (i) we can work with a prime order group Gq of “standard” size, e.g., 256bits, whereas [CL02] needs a much larger Gq (see above). We note that the size of Gq affects notonly the efficiency of the set membership protocol but also the efficiency of any other protocol thatneeds to interact with commitments to alleged set members; (ii) we can support flexible choices forthe size of set elements. For instance, in the second scheme, we could work with primes of about50 or 80 bits,6 which in practice captures virtually unbounded sets and can make the accumulatoroperations 4–5× faster compared to using ≈ 256-bits primes as in [CL02].

Our main technical contribution here involves a new way to link a proof of membership for RSAaccumulators to a Pedersen commitment in a prime order group, together with a careful analysisshowing this can be secure under parameters not requiring a larger prime order group (as in [CL02]).See Section 4 for further details.

Pairing-based construction. Our pairing-based scheme for set membership supports set elementsin Zq, where q is the order of bilinear groups, while the sets are arbitrary subsets of Zq of cardinality

6 When prime representation is suitable for the application, distinct primes can be generated without a hash fuction(e.g. by using sequential primes).

4

less than a fixed a-priori bound n. This scheme has the disadvantage of having public parameterslinear in n, but has other advantages in comparison to previous schemes with a similar limitation(and also in comparison to the RSA-based schemes above). First, the commitment to the set can behiding and untrusted for the verifier, i.e., the set can be kept hidden and it is not needed to check theopening of the commitment to the set; this makes it composable with proof systems that could forexample prove global properties on the set, i.e., that P (S) holds. Second, the scheme works entirelyin bilinear groups, i.e., no need of operating over RSA groups. The main technical contributionhere is a technique to turn the EDRAX vector commitment [CPZ18] into an accumulator admittingefficient zero-knowledge membership proofs.

Extensions to Set Non-Membership. We propose extensions of both our CP-SNARK frame-work and RSA constructions to deal with proving set non-membership, namely proving in zero-knowledge that u /∈ S with respect to a commitment c(u) and a committed set S. Our two RSA-based schemes for non-membership have the same features as the analogous membership schemesmentioned above: the first scheme supports sets whose elements are strings of length η, the secondone supports elements that are prime numbers of µ bits, and both work with elements committedusing Pedersen in a prime order group and sets committed with RSA accumulators. A byproduct ofsharing the same parameters is that we can easily compose the set-membership and non-membershipschemes, via our framework, in order to prove statements like u ∈ S1 ∧ u /∈ S2. Our technical con-tribution in the design of these schemes is a zero-knowledge protocol for non-membership witnessesof RSA accumulators that is linked to Pedersen commitments in prime order groups.

Implementation and Experiments. We have implemented our RSA-based7 schemes for mem-bership and non-membership as a Rust library which is publicly available [cps]. Our library isimplemented in a modular fashion to work with any elliptic curve from libzexe [SCI] and Ristrettofrom curve25519-dalek [LdV]. This choice enables everyone to easily and efficiently combine ourCP-SNARKs in a modular way with other CP-SNARKs implemented over these elliptic curves,such as Bulletproofs [BBB+18] and LegoGroth16 [CFQ19].

We evaluated our RSA-based constructions and compared them against highly optimized so-lutions based on Merkle Trees8. Our schemes achieve significantly better performance in provingtime while slightly compromising on proof size and verification time. Our implementation is fast,yet we have not heavily optimized it and thus expect the results can be further improved.

Our solutions supporting sets of arbitrary elements achieve a proving time that is up to9 3.7×faster for set membership (309ms vs. 1.14s) and up to 7× faster for set non-membership (325msvs. 2.28s).10

Our solutions where elements of the set are large prime numbers (i.e., of 252-bit size) offer evenbetter results: our proving time is 4.5×–23.5× faster for membership and 6.8×–36× faster for non-membership (depending on the depth of the Merkle tree used in the comparison). We also show anoptimization that, at the price of achieving computational (instead of statistical) zero-knowledge,is twice faster (see section 7.4). This scenario can for example capture the case of sets made of

7 For the implementation we focused on schemes where the public parameters do not depend on the set size; hence,we did not implement the pairing-based solutions.

8 For our experiments we consider Merkle Trees using Pedersen Hash over the JubJub curve [HBHW16].9 We stress the proving time for our construction does not vary when the set grows. On the other hand this time

varies for solutions based on Merkle trees.10 These ratios refer to a comparison against Interval Merkle Trees which require opening two paths to prove non-

membership. When compared against Sparse Merkle Trees, our solutions show similar improvement ratios.

5

hiding commitments that are prime numbers. In Section 8 we discuss how this can be relevant fora slight variant of the Zerocash protocol where commitments can be made prime numbers.

More details on the implementation and the benchmarks are available in Section 7.

Transparent Instantiations. We generalize our building blocks for RSA groups to any hidden-order group (appendix E). By instantiating the latter with class groups and by using a transparentCP-NIZK such as Bulletproofs, we obtain variants of our RSA-based schemes with transparentsetup. Class groups are more expensive than traditional RSA groups; in this setting we still obtainperformance (proving time 12s; |Π| = 6.4KB) outperforming other transparent solution for largeMerkle trees, roughly 264 leaves (see [ZXZS20, Fig. 5] which summarizes performances of transparentSNARKs used to prove Merkle tree computations using SHA256 as hash). These potential gainscome at the price of a relatively longer verification (compared to other solutions): 6.4s.

1.2 Other Related Work

Ozdemir et al. [OWWB19] recently proposed a solution to scale operations on RSA accumulatorsinside a SNARK. In particular, their approach scales when these operations are batched (i.e., whenproving membership of many elements at the same time); for example, they surpass a 220-largeMerkle tree when proving batches of at least 600 elements. This approach is attractive in settingswhere we can delegate a large quantity of these checks to an untrusted server as there is a highconstant proving cost. In contrast, our approach can achieve faster proving time than Merkle treesalready for a single membership check. It is an interesting open problem to adapt our techniquesfor modular set (non-)membership for the case of batched membership while keeping the testedelements hidden.

1.3 Organization

We give basic definitions in Section 2. In Section 3 we formalize commit-and-prove zkSNARKs forset (non-)membership. We describe our main constructions based on RSA accumulators for setmembership and non-membership respectively in Sections 4 and 5. We describe our constructionfor set membership based on bilinear pairings in Section 6. Finally, in Sections 7 and 8 we discussour implementation, experiments and applications.

2 Preliminaries

Notation. We denote the security parameter with λ ∈ N and its unary representation with 1λ.Throughout the paper we assume that all the algorithms of the cryptographic schemes take asinput 1λ, which is thus omitted from the list of inputs. If D is a distribution, we denote by x← Dthe process of sampling x according to D. An ensemble X = {Xλ}λ∈N is a family of probabilitydistributions over a family of domains D = {Dλ}λ∈N, and we say that two ensembles D = {Dλ}λ∈Nand D′ = {D′λ}λ∈N are statistically indistinguishable (denoted by D ≈s D′) if 1

2

∑x |Dλ(x) −

D′λ(x)| < negl(λ). If A = {Aλ} is a (possibly non-uniform) family of circuits and D = {Dλ}λ∈N isan ensemble, then we denote by A(D) the ensemble of the outputs of Aλ(x) when x← Dλ. We saytwo ensembles D = {Dλ}λ∈N and D′ = {D′λ}λ∈N are computationally indistinguishable (denotedby D ≈c D′) if for every non-uniform polynomial time distinguisher A we have A(D) ≈s A(D′).

6

We use [n] to denote the set of integers {1, . . . , n}, and [0, n] for {0, 1, . . . , n}. We denote by(uj)j∈[`] the tuple of elements (u1, . . . , u`).

We denote Primes := {e ∈ N : e is prime} the set of all positive integers e > 1 such thatthey do not have non-trivial (i.e. different than e and 1) factors. More specifically, given twopositive integers A,B > 0 such that A < B, we denote with Primes(A,B) the subset of Primes ofnumbers lying in the interval (A,B), i.e., Primes(A,B) := {e ∈ Z : e is prime ∧ A < e < B}.According to the well known prime number theorem |Primes(1, B)| = O( B

logB ) which results to

|Primes(A,B)| = O( BlogB )−O( A

logA).

2.1 RSA Groups

We say that N = pq is an RSA modulus for some primes p, q, such that |p| = |q|. We furthersay that N is a strong RSA modulus if there are primes p′, q′ such that p = 2p′ + 1, q = 2q′ + 1.We call Z∗N for an RSA modulus an RSA group. With φ : N → N we denote the Euler’s totientfunction, φ(N) := |Z∗N |. In particular for RSA modulus φ(N) = (p − 1)(q − 1). An RSA Groupgenerator N ←$ GenSRSAmod(1λ) is a probabilistic algorithm that outputs a strong RSA modulusN of bit-length `(λ) for an appropriate polynomial `(·).

For any N we denote by QRN := {Y : ∃X ∈ Z∗N such that Y = X2 (mod N)}, the set of allthe quadratic residues modulo N . QRN is a subgroup (and thus closed under multiplication) of Z∗Nwith order |QRN | = |Z∗N |/2. In particular for a strong RSA modulus |QRN | = 4p′q′

2 = 2p′q′.

Computational Assumptions in RSA Groups. The most fundamental assumption for RSAgroups is the factoring assumption which states that given an RSA modulus N ← GenSRSAmod(1λ)it is hard to compute its factors p and q. We further recall the Discrete Logarithm and strong RSA[BP97] assumptions:

Definition 2.1 (DLOG Assumption for RSA groups). We say that the Discrete Logarithm(DLOG) assumption holds for GenSRSAmod if for any PPT adversary A:

Pr

Gx′ = Y (mod N) :

N ← GenSRSAmod(1λ)

G←$Z∗N ;x←$ZY ← Gx (mod N)

x′ ← A(Z∗N , G, Y )

= negl(λ)

Definition 2.2 (Strong-RSA Assumption [BP97]). We say that the strong RSA assumptionholds for GenSRSAmod if for any PPT adversary A:

Pr

U e = G :

N ← GenSRSAmod(1λ)

G←$Z∗N(U, e)← A(Z∗N , G)

= negl(λ)

2.2 Non-Interactive Zero-Knowledge (NIZK)

We recall the definition of zero-knowledge non-interactive arguments of knowledge (NIZKs, forshort).

7

Definition 2.3 (NIZK). A NIZK for {Rλ}λ∈N is a tuple of three algorithms Π = (KeyGen,Prove,VerProof) that work as follows and satisfy the notions of completeness, knowledge soundness and(composable) zero-knowledge defined below.

– KeyGen(R) → (ek, vk) takes the security parameter λ and a relation R ∈ Rλ, and outputs acommon reference string consisting of an evaluation and a verification key.

– Prove(ek, x, w) → π takes an evaluation key for a relation R, a statement x, and a witness wsuch that R(x,w) holds, and returns a proof π.

– VerProof(vk, x, π) → b takes a verification key, a statement x, and either accepts (b = 1) orrejects (b = 0) the proof π.

Completeness. For any λ ∈ N, R ∈ Rλ and (x,w) such that R(x,w), it holds Pr[(ek, vk) ←KeyGen(R), π ← Prove(ek, x, w) : VerProof(vk, x, π) = 1] = 1.

Knowledge Soundness. Let RG be a relation generator such that RGλ ⊆ Rλ. Π has computationalknowledge soundness for RG and auxiliary input distribution Z, denoted KSND(RG,Z) for brevity,if for every (non-uniform) efficient adversary A there exists a (non-uniform) efficient extractor Esuch that Pr[GameKSNDRG,Z,A,E = 1] = negl. We say that Π is knowledge sound if there exists benignRG and Z such that Π is KSND(RG,Z).

GameKSNDRG,Z,A,E → b

(R, auxR)← RG(1λ) ; crs := (ek, vk)← KeyGen(R)

auxZ ← Z(R, auxR, crs) ;(x, π

)← A(R, crs, auxR, auxZ)

w ← E(R, crs, auxR, auxZ) ; b = VerProof(vk, x, π) ∧ ¬R(x,w)

Composable Zero-Knowledge. A scheme Π satisfies composable zero-knowledge for a relationgenerator RG if there exists a simulator S = (Skg,Sprv) such that both following conditions hold:

Keys Indistinguishability For all adversaries A

Pr

(R, auxR)← RG(1λ)

crs← KeyGen(R)

A(crs, auxR) = 1

≈ Pr


(crs, tdk)← Skg(R)

A(crs, auxR) = 1

Proof Indistinguishability For all adversaries A = (A1,A2)

Pr



(x,w, st)← A1(crs, auxR)

π ← Prove(ek, x, w)

A2(st, π) = 1

: R(x,w)

≈ Pr



(x,w, st)← A1(crs, auxR)

π ← Sprv(crs, tdk, x)

A2(st, π) = 1

: R(x,w)

Definition 2.4 (zkSNARKs). A NIZK Π is called zero-knowledge succinct non-interactive ar-gument of knowledge (zkSNARK) if Π is a NIZK as per Definition 2.3 enjoying an additionalproperty, succinctness, i.e., if the running time of VerProof is poly(λ+ |x|+ log |w|) and the proofsize is poly(λ+ log |w|).

8

Remark 2.1 (On Knowledge-Soundness). In the NIZK definition above we use a non black-boxnotion of extractability. Although this is virtually necessary in the case of zkSNARKs [GW11],NIZKs can also satisfy stronger (black-box) notions of knowledge-soundness.

2.3 Type-Based Commitments

We recall the notion of Type-Based Commitment schemes introduced by Escala and Groth [EG14].In brief, a Type-Based Commitment scheme is a normal commitment scheme with the differencethat it allows one to commit to values from different domains. More specifically, the Commit al-gorithm (therefore the VerCommit algorithm also) depends on the domain of the input, while thecommitment key remains the same. For example, as in the original motivation of [EG14], the com-mitter can use the same scheme and key to commit to elements that may belong to two differentgroups G1,G2 or a field Zp. In our work we use type-based commitments. The main benefit of thisformalization is that it can unify many commitment algorithms into one scheme. In our case thisis useful to formalize the notion of commit-and-prove NIZKs that work with commitments fromdifferent groups and schemes.

More formally, a Type-Based Commitment is a tuple of algorithms Com = (Setup,Commit,VerCommit) that works as a Commitment scheme defined above with the difference that Commitand VerCommit algorithms take an extra input t that represent the type of u. All the possible typesare included in the type space T 11.

Definition 2.5. A type-based commitment scheme for a set of types T is a tuple of algorithmsCom = (Setup,Commit,VerCommit) that work as follows:

– Setup(1λ)→ ck takes the security parameter and outputs a commitment key ck. This key includes∀t ∈ T descriptions of the input space Dt, commitment space Ct and opening space Ot.

– Commit(ck, t, u) → (c, o) takes the commitment key ck, the type t of the input and a valueu ∈ Dt, and outputs a commitment c and an opening o.

– VerCommit(ck, t, c, u, o) → b takes as a type t, a commitment c, a value u and an opening o,and accepts (b = 1) or rejects (b = 0).

Furthermore, the security properties depend on the type, in the sense that binding and hidingshould hold with respect to a certain type.

Definition 2.6. Let T be a set of types, and Com be a type-based commitment scheme for T .Correctness, t-Type Binding and t-Type Hiding are defined as follows:

Correctness. For all λ ∈ N and any input (t, u) ∈ (T ,Dt) we have:

Pr[ck← Setup(1λ), (c, o)← Commit(ck, t, u) : VerCommit(ck, t, c, u, o) = 1] = 1.

t-Type Binding. Given t ∈ T , for every polynomial-time adversary A:

Pr

[ck← Setup(1λ)

(c, u, o, u′, o′)← A(ck, t):u 6= u′ ∧ VerCommit(ck, t, c, u, o) = 1

∧ VerCommit(ck, t, c, u′, o′) = 1

]= negl

In case Com is t-Type Bidning for all t ∈ T we will say that it is Binding.

11 Normally T is finite and includes a small number of type, e.g. T = {G1,G2,Zp}.

9

t-Type Hiding. Given a t ∈ T , for ck ← Setup(1λ) and every pair of values u, u′ ∈ Dt, thefollowing two distributions are statistically close: Commit(ck, t, u) ≈ Commit(ck, t, u′).In case Com is t-Type Hiding for all t ∈ T we say it is Hiding.

Composing Type-Based Commitments. For simplicity we now define an operator that allowsto compose type-based commitment schemes in a natural way.

Definition 2.7. Let C and C′ be two commitment schemes respectively for (disjoint) sets of typesT and T ′. Then we denote by C • C′ the commitment scheme C for T ∪ T ′ such as:

– C.Setup(secpar, secpar′)→ ck : compute ck← C.Setup(secpar) and ck′ ← C′.Setup(secpar′); ck :=(ck, ck′).

– C.Commit(ck := (ck, ck′), t, u) : If t ∈ T then output C.Commit(ck, t, u); otherwise returnC′.Commit(ck′, t, u).

– C.VerCommit(ck := (ck, ck′), t, c, u, o) : If t ∈ T then return C.VerCommit(ck, t, c, u, o); otherwisereturn C′.VerCommit(ck′, t, c, u, o).

The following property of • follows immediately from its definition.

Lemma 2.1. Let C and C′ be two commitment schemes with disjoint sets of types. For all types tif C or C′ is t-hiding (resp. t-binding) then C • C′ is t-hiding (resp. t-binding).

Remark 2.2. We observe that a standard non type-based commitment scheme with input space Dinduces directly a type-based commitment scheme with the same input space and a type we denoteby T[D].

2.4 Commit-And-Prove NIZKs

We give the definition of commit-and-prove NIZKs (CP-NIZKs). We start from the definition givenin [CFQ19, BCF19] and we extend it to type-based commitments. The main benefit of such exten-sion is that we can formalize CP-NIZKs working with commitments over different domains. In anutshell, a CP-NIZK is a NIZK that can prove knowledge of (x,w) such that R(x,w) holds withrespect to a witness w = (u, ω) such that u opens a commitment cu. As done in [CFQ19], we explic-itly considers the input domain Du at a more fine grained-level splitting it over ` subdomains. Wecall them commitment slots as each of the Di-s intuitively corresponds to a committed element12.The description of the splitting is assumed part of R’s description.

In the remainder of this work we use the following shortcut definition. If C is a type-basedcommitment scheme over set of types T , we say that a relation R over (D1×· · ·×D`) is T -compatibleif for all j ∈ [`] it holds that T[Dj ] ∈ T . We say a relation family R is T -compatible if every R inR is T -compatible; a relation generator RG is T -compatible if Range(RG) is T -compatible.

Definition 2.8 (CP-NIZKs [CFQ19]). Let {Rλ}λ∈N be a family of relations R over Dx×Du×Dω such that Du splits over ` arbitrary domains (D1 × · · · × D`) for some arity parameter ` ≥ 1.Let C = (Setup,Commit,VerCommit) be a commitment scheme (as per Definition 2.5) over set oftypes T such that {Rλ}λ∈N is T -compatible. A commit and prove NIZK for C and {Rλ}λ∈N is aNIZK for a family of relations {RC

λ}λ∈N such that:

12 Each of the “open” elements in the Di-s (together with any auxiliary opening information) should also be thoughtof as the witness to the relation as we require them to be extractable. On the other hand, the commitmentsthemselves are part of the public input.

10

– every R ∈ RC is represented by a pair (ck, R) where ck ∈ C.Setup(1λ) and R ∈ Rλ;– R is over pairs (x,w) where the statement is x := (x, (cj)j∈[`]) ∈ Dx × C`, the witness is w :=

((uj)j∈[`], (oj)j∈[`], ω) ∈ D1 × · · · × D` ×O` ×Dω, and the relation R holds iff∧j∈[`]

VerCommit(ck,T[Dj ], cj , uj , oj) = 1 ∧R(x, (uj)j∈[`], ω) = 1

We denote knowledge soundness of a CP-NIZK for commitment scheme C and relation and auxiliaryinput generators RG and Z as CP-KSND(C,RG,Z).

We denote a CP-NIZK as a tuple of algorithms CP = (KeyGen,Prove,VerProof). For ease ofexposition, in our constructions we adopt the following explicit syntax for CP’s algorithms.

– KeyGen(ck, R)→ crs := (ek, vk)– Prove(ek, x, (cj)j∈[`], (uj)j∈[`], (oj)j∈[`], ω)→ π– VerProof(vk, x, (cj)j∈[`], π)→ b ∈ {0, 1}

2.5 Commit-and-Prove NIZKs with Partial Opening

We now define a variant of commit-and-prove NIZKs with a weaker notion of knowledge-soundness.In particular we consider the case where part of the committed input is not assumed to be ex-tractable (or hidden)13, i.e., such input is assumed to be opened by the adversary. This modelsscenarios where we do not require this element to be input of the verification algorithm (the verifiercan directly use a digest to it).

The motivation to define and use this notion is twofold. First, in some constructions commit-ments on sets are compressing but not knowledge-extractable. Second, in many applications thisdefinition is sufficient since the set is public (e.g., the set contain the valid coins).

The definition below is limited to a setting where the adversary opens only one input in thisfashion14. We will assume, as a convention, that in a scheme with partial opening this special inputis always the first committed input of the relation, i.e. the one denoted by u1 and corresponding toD1. We note that the commitment to u1 does not require hiding for zero-knowledge to hold.

Definition 2.9 (CP-NIZK with Partial Opening). A commit and prove NIZK with partialopening for C and {Rλ}λ∈N is a NIZK for a family of relations {RC

λ}λ∈N (defined as in Definition2.8)such that the property of knowledge soundness is replaced by knowledge soundness with partialopening below.

Knowledge Soundness with Partial Opening. Let RG be a relation generator such that RGλ ⊆Rλ. Π has knowledge soundness with partial opening for C, RG and auxiliary input distribution Z,denoted CP-poKSND(C,RG,Z) for brevity, if for every (non-uniform) efficient adversary A there

exists a (non-uniform) efficient extractor E such that Pr[GameCP-poKSNDC,RG,Z,A,E = 1] = negl. We say that Π

is knowledge sound for C if there exists benign RG and Z such that Π is CP-poKSND(C,RG,Z)15.

13 This is reminiscent of the soundness notions considered in [FFG+16]14 We can easily generalize the notion for an adversary opening an arbitrary subset of the committed inputs.15 We point out that, although in the game below we make explicit the commitment opening in the relation, this is

essentially the same notion of knowledge soundness as in CP-NIZKs (i.e. Definition 2.3) where the only tweak isthat the adversary gives explicitly the first input in the commitment slot. We make commitments explicit hopingfor the definition to be clearer. This is, however, in contrast to the definition of CP-NIZKs where the commitmentopening is completely abstracted away inside the relation.

11

GameCP-poKSNDC,RG,Z,A,E → b

ck← C.Setup(1λ); (R, auxR)←RG(1λ); R := (ck, R)

crs := (ek, vk)← KeyGen(R)

auxZ ← Z(R, auxR, crs)(x, (cj)j∈[`], u1, o1, π

)← A(R, crs, auxR, auxZ)(

(uj)j∈[`], (oj)j∈[`], ω)← E(R, crs, auxR, auxZ)

b = VerProof(vk, x, (cj)j∈[`], π) ∧

¬(∧

j∈[`]C.VerCommit(ck,T[Dj ], cj , uj , oj) = 1 ∧R(x, (uj)j∈[`], ω) = 1

)

Remark 2.3 (On Weaker ZK in the Context of Partial Opening). The notion of zero-knowledge forCP-NIZKs with partial opening that is implied by our definition above implies that the simulatordoes not have access to the opening of the first input (as it is the case in zero-knowledge for CP-NIZKs in general). Since this first commitment is opened, in principle one could also consider anddefine a weaker notion of zero-knowledge where the simulator has access to the first opened input.We leave it as an open problem to investigate if it can be of any interest.

Remark 2.4 (Full Extractability). If a CP-NIZK has an empty input u1 opened by the adversary inthe game above, then we say that it is fully extractable. This roughly corresponds to the notion ofknowledge soundness in Definition 2.3.

Composition Properties of Commit-and-Prove Schemes In [CFQ19] Campanelli et al. showa compiler for composing commit-and-prove schemes that work for the same commitment schemein order to obtain CP systems for conjunction of relations. In this section we generalize their resultsto the case of typed relations and type-based commitments. This generalization in particular canmodel the composition of CP-NIZKs that work with different commitments, as is the case in ourconstructions for set membership in which one has a commitment to a set and a commitment toan element.

We begin by introducing the following compact notation for an augmented relation generator.

Definition 2.10 (Augmented Relation Generator). Let RG be a relation generator and F(1λ)an algorithm taking as input a security parameter. Then we denote by RG[F ] the relation generatorreturning (R, (auxR, outF )) where outF ← F(1λ) and (R, auxR)← RG(1λ).

The next lemma states that we can (with certain restrictions) trivially extend a CP-NIZK forcommitment scheme C to an extended commitment scheme C • C′.

Lemma 2.2 (Extending to Commitment Composition). Let C,C′ be commitment schemesdefined over disjoint type sets T and T ′. If CP is CP-poKSND(C,RG[C.Setup],Z) for some relationand auxiliary input generators RG,Z. Then CP is CP-poKSND(C • C′,RG[C.Setup],Z) if RG isT -compatible.

We now define relation generators and auxiliary input generators for our composition constructions.

12

AuxRG(1λ) :

(R1, aux(1)R )←RG1(1λ)

(R2, aux(2)R )←RG2(1λ)

return (Rb, aux(b)R )b∈{1,2}

AuxZ(ck, (crsb, Rb, aux(b)R )b∈{1,2}) :

aux(1)Z ← Z1(ck, R1, crs1, aux

(1)R )

aux(2)Z ← Z2(ck, R2, crs2, aux

(2)R )

return (aux(b)Z )b∈{1,2}

RG∗(1λ) :

(Rb, aux(b)R )b∈{1,2} ← AuxRG(1λ)

return (R∧R1,R2, (aux

(b)R )b∈{1,2})

Z∗((ck, R∧R1,R2), (ek∗, vk∗), (auxR, aux

′R)) :

(aux(b)Z )b∈{1,2}

← AuxZ(ck, (crsb, Rb, aux(b)R )b∈{1,2})

return (aux(b)Z )b∈{1,2}

RGb(1λ) :

(Rb, aux(b)R )b∈{1,2}

← AuxRG(1λ)

return (Rb, aux(b)R

:= (R3−b, (aux(b)R )b∈{1,2}))

Zb(ck, Rb, crsb, aux(b)R ) :

Parse auxR as (R3−b, (aux(b)R )b∈{1,2})

crs3−b ← CP3−b.KeyGen(ck, R3−b)

(aux(b)Z )b∈{1,2} ← AuxZ(ck, . . .

. . . , (crsb, Rb, aux(b)R )b∈{1,2})

aux(b)Z := (crs3−b, (aux

(b)Z )b∈{1,2})

return aux(b)Z

Fig. 1: Relation and Auxiliary Input Generators for AND Composition Construction

The following lemma shows how we can compose CP-NIZKs even when one of them is fully ex-tractable but the other is not. We are interested in the conjunction R∧asym of relations of typeR1(x1, (u0, u1, u3), ω1) and R2(x2, (u2, u3), ω2) where

R∧asym(x1, x2, (u0, u1, u2, u3), ω1, ω2) := R1(x1, (u0, u1, u3), ω1) ∧R2(x2, (u2, u3), ω2)

Lemma 2.3 (Composing Conjunctions (with asymmetric extractability). Let C be a com-putationally binding commitment scheme.If CP1 is CP-poKSND(C,RG1,Z1) and CP2 is KSND(C,RG2,Z2)(where RGb,Zb are defined in terms of RGb,Zb in Figure 1 for b ∈ {1, 2}), then the scheme CP∧asymin Figure 2 is CP-poKSND(C,RG∗,Z∗) where RG∗,Z∗ are as defined in Figure 1.

The following lemma is a symmetric variant of Lemma 2.3, i.e. the CP-NIZKs we are composingare both secure over the same commitment scheme and support partial opening, that is they bothhandle relations with and adversarially open input u0. This time we are interested in the conjunctionR∧sym of relations of type R1(x1, (u0, u1, u3), ω1) and R2(x2, (u0, u2, u3), ω2) where

R∧sym(x1, x2, (u0, u1, u2, u3), ω1, ω2) := R1(x1, (u0, u1, u3), ω1) ∧R2(x2, (u0, u2, u3), ω2)

Lemma 2.4 (Composing Conjunctions (symmetric case)). Let C be a (type-based) com-putationally binding commitment scheme. If CPb is CP-poKSND(C,RGb,Zb) (where RGb,Zb aredefined in terms of RGb,Zb in Figure 1) for b ∈ {1, 2}, then the scheme CP∧sym in Figure 3 isCP-poKSND(C,RG∗,Z∗) where RG∗,Z∗ are as defined in Figure 1.

13

CP∧asym.KeyGen(ck, R∧R1,R2) :

(ek1, vk1)← CP1.KeyGen(ck, R1)


ek∗ := (ekb)b∈{1,2}

vk∗ := (vkb)b∈{1,2}

return (ek∗, vk∗)

CP∧asym.VerProof(vk∗, x1, x2, (cj)j∈[0,3], π

∗) :

b(1)ok ← CP1.VerProof(vk1, x1, (c0, c1, c3), π1)

b(2)ok ← CP2.VerProof(vk2, x2, (c2, c3), π2)

return b(1)ok ∧ b

(2)ok

CP∧asym.Prove(ek∗, x1, x2, (cj)j∈[0,3], (uj)j∈[0,3], (oj)j∈[0,3], ω1, ω2) :

π1 ← CP1.Prove(ek1, x1, (c0, c1, c3), (u0, u1, u3), (o0, o1, o3), ω1)

π2 ← CP2.Prove(ek2, x2, (c2, c3), (u2, u3), (o2, o3), ω2)

return π∗ := (πb)b∈{1,2}

Fig. 2: CP-NIZK construction for AND composition (asymmetric case)

CP∧sym.KeyGen(ck, R∧R1,R2) :



ek∗ := (ekb)b∈{1,2}

vk∗ := (vkb)b∈{1,2}

return (ek∗, vk∗)

CP∧sym.VerProof(vk∗, x1, x2, (cj)j∈[0,3], π

∗) :



return b(1)ok ∧ b

(2)ok

CP∧sym.Prove(ek∗, x1, x2, (cj)j∈[0,3], (uj)j∈[0,3], (oj)j∈[0,3], ω1, ω2) :



return π∗ := (πb)b∈{1,2}

Fig. 3: CP-NIZK construction for AND composition (symmetric case)

14

3 CP-SNARKs for Set Membership (and non-Membership)

In this section we discuss a specialization of CP-SNARKs for the specific NP relation that modelsmembership (resp. non-membership) of an element in a set, formally defined below.

Set membership relations. Let Delm be some domain for set elements, and let Dset ⊆ 2Delm be aset of possible sets over Du. We define the set membership relation Rmem : Delm ×Dset as

Rmem(U, u) = 1 ⇐⇒ u ∈ U

This is the fundamental relation that we deal with in the rest of this work.The non-membership relation Rnmem : Delm ×Dset can be defined analogously as

Rnmem(U, u) = 1 ⇐⇒ u 6∈ U

CP-SNARKs for set membership. Intuitively, a commit-and-prove SNARK for set membershipallows one to commit to a set U and to an element u, and then to prove in zero-knowledge thatRmem(U, u) = 1. More formally, let Rmem : Delm×Dset be a set membership relation as defined abovewhere T[Delm] = telm and T[Dset] = tset, and let ComS∪elm be a type-based commitment scheme forT such that tset, telm ∈ T . Basically, ComS∪elm allows one to either commit an element of Delm orto a set of values of Delm. Then a CP-SNARK for set membership is a CP-SNARK for the familyof relations {Rmem

λ } and a type-based commitment scheme ComS∪elm. It is deduced from definition2.8 that this is a zkSNARK for the relation:

R = (ck,Rmem) over (x,w) = ((x, c), (u, o, ω)) := ( (∅ , (cU , cu) ) , ( (U, u) , (oU , ou) , ∅ ) )

such that R holds iff:

Rmem(U, u) = 1 ∧ VerCommit(ck, tset, cU , U, oU ) = 1 ∧ VerCommit(ck, telm, cu, u, ou) = 1

A commit-and-prove version of Rnmem can be defined as a natural variant of the relation above.Notice that for the relation Rmem it is relevant for the proof system to be succinct so that proofs

can be at most polylogarithmic (or constant) in the the size of the set (that is part of the witness).This is why for set membership we are mostly interested in designing CP-SNARKs.

Proving arbitrary relations involving set (non-)membership. As discussed in the intro-duction, a primary motivation of proving set membership in zero-knowledge is to prove additionalproperties about an alleged set member. In order to make our CP-SNARK for set membershipa reusable gadget, we discuss a generic and simple method for composing CP-SNARKs for setmembership (with partial opening) with other CP-SNARKs (with full extractability) for arbitraryrelations. More formally, let Rmem be the set membership relation over pairs (U, u) ∈ X×Du as Rbe an arbitrary relation over pairs (u, ω), then we define as R∗ the relation:

R∗(U, u, ω) := Rmem(U, u) ∧R(u, ω)

The next corollary (direct consequence of Lemmas 2.2, 2.3) states we can straightforwardly composea CP-SNARK for set membership with a CP-SNARK for an arbitrary relation on elements of theset.

15

Corollary 3.1 (Extending Relations with Set Membership). Let CS,Cu be two computa-tionally binding commitment schemes defined over disjoint type sets TS and Tu. Let CPmem,CPu betwo CP-SNARKs and Rmem,RGu (resp. Zmem,Zu) be two relation (resp. auxiliary input) gener-ators. If CPmem is CP-poKSND(CS • Cu, Rmem,Zmem) and CPu is KSND(Cu,RGu,Zu) then thereexists a CP∗ that is CP-poKSND(CS • Cu,RG∗,Z∗) where RG∗,Z∗ are as defined in Figure 1.

In a similar fashion, we can combine an arbitrary relationR with the relation for non-membershipobtaining relation R∗ defined as:

R∗(U, u, ω) := Rnmem(U, u) ∧R(u, ω)

The next corollary states we can straightforwardly compose a CP-SNARK for set non-membershipwith a CP-SNARK for an arbitrary relation on elements in the universe of the set.

Corollary 3.2 (Extending Relations with Set non-Membership). Let CS,Cu be two compu-tationally binding commitment schemes defined over disjoint type sets TS and Tu. Let CPnmem,CPube two CP-SNARKs and Rnmem,RGu (resp. Znmem,Zu) be two relation (resp. auxiliary input) gen-erators. If CPnmem is CP-poKSND(CS • Cu, Rnmem,Znmem) and CPu is KSND(Cu,RGu,Zu) thenthere exists a CP∗ that is CP-poKSND(CS • Cu,RG∗,Z∗) where RG∗,Z∗ are as defined in Figure1.

CP-SNARKs for set membership from accumulators with proofs of knowledge. As dis-cussed in the introduction, CP-SNARKs for set membership are simply a different lens throughwhich we can approach accumulators that have a protocol for proving in zero-knowledge that acommitted value is in the accumulator (i.e., it is in the set succinctly represented by the accumu-lator). To strengthen this intuition in Appendix B we formally show that a CP-SNARK for setmembership can be constructed from an accumulator scheme that has a zero-knowledge proof forcommitted values. This allows us to capture existing schemes such as [CL02] and [Ngu05].

4 A CP-SNARK for Set Membership with Short Parameters

In this section we describe CP-SNARKs for set membership in which the elements of the setscan be committed using a Pedersen commitment scheme defined in a prime order group, and thesets are committed using an RSA accumulator. The advantage of having elements committed withPedersen in a prime order group is that our CP-SNARKs can be composed with any other CP-SNARK for Pedersen commitments and relations R that take set elements as inputs. The advantageof committing to sets using RSA accumulators is instead that the public parameters (i.e., the CRS)of the CP-SNARKs presented in this section are short, virtually independent of the size of the sets.Since RSA accumulators are not extractable commitments, the CP-SNARKs presented here aresecure in a model where the commitment to the set is assumed to be checked at least once, namelythey are knowledge-sound with partial opening of the set commitment.

A bit more in detail, we propose two CP-SNARKs. Our first scheme, called MemCPRSA, worksfor set elements that are arbitrary strings of length η, i.e., Delm = {0, 1}η, and for sets that are anysubset of Delm, i.e., Dset = 2Delm . Our second scheme, MemCPRSAPrm, instead works for set elementsthat are prime numbers of exactly µ bits, and for sets that are any subset of such prime numbers.This second scheme is a simplified variant of the first one that requires more structure on the set

16

elements (they must be prime numbers) but in exchange of that offers better efficiency. So it ispreferable in those applications that can work with prime representatives.

An High-Level Overview of Our Constructions. We provide the main idea behind our scheme,and to this end we use the simpler scheme MemCPRSAPrm in which set elements are prime numbersin(2µ−1, 2µ

). The commitment to the set P = {e1, . . . , en} is an RSA accumulator [Bd94, BP97]

that is defined as Acc = G∏ei∈P

ei for a random quadratic residue G ∈ QRN . The commitmentto a set element e is instead a Pedersen commitment ce = gehrq in a group Gq of prime order q,where q is of ν bits and µ < ν. For public commitments Acc and ce, our scheme allows to prove

in zero-knowledge the knowledge of e committed in ce such that e ∈ P and Acc = G∏ei∈P

ei . Apublic coin protocol for this problem was proposed by Camenisch and Lysyanskaya [CL02]. Theirprotocol however requires various restrictions. For instance, the accumulator must work with atleast 2λ-bit long primes, which slows down accumulation time, and the prime order group mustbe more than 4λ-bits (e.g., of 512 bits), which is undesirable for efficiency reasons, especially ifthis prime order group is used to instantiate more proof systems to create other proofs about thecommitted element. In our scheme the goal is instead to keep the prime order group of “normal”size (say, 2λ bits), so that it can be for example a prime order group in which we can efficientlyinstantiate another CP-SNARK that could be composed with our MemCPRSAPrm. And we can alsoallow flexible choices of the primes size that can be tuned to the application so that applicationsthat work with moderately large sets can benefit in efficiency. In order to achieve these goals, ouridea to create a membership proof is to compute the following:

– An accumulator membership witness W = G∏ei∈P\{e}

ei , and an integer commitment to e in theRSA group, Ce = GeHr.

– A ZK proof of knowledge CPRoot of a committed root for Acc, i.e. a proof of knowledge of e andW such that W e = Acc and Ce = GeHr. Intuitively, this gives that Ce commits to an integerthat is accumulated in Acc (at this point, however, the integer may be a trivial root, i.e., 1).

– A ZK proof CPmodEq that Ce and ce commit to the same value modulo q.– A ZK proof CPRange that ce commits to an integer in the range

(2µ−1, 2µ

).

From the combination of the above proofs we would like to conclude that the integer committed ince is in P . Without further restrictions, however, this may not be the case; in particular, since forthe value committed in Ce we do not have a strict bound it may be that the integer committed ince is another eq such e = eq (mod q) but e 6= eq over the integers. In fact, the proof CPRoot doesnot guarantee us that Ce commits to a single prime number e, but only that e divides

∏ei∈P ei,

namely e might be a product of a few primes in P or the corresponding negative value, while itsresidue modulo q may be some value that is not in the set—what we call a “collision”. We solvethis problem by taking in consideration that eq is guaranteed by CPRange to be in

(2µ−1, 2µ

)and by

enhancing CPRoot to also prove a bound on e: roughly speaking |e| < 22λs+µ for a statistical securityparameter λs. Using this information we develop a careful analysis that bounds the probability thatsuch collisions can happen for a malicious e (see Section 4.2 for more intuition).

In the following section we formally describe the type-based commitment scheme supportedby our CP-SNARK, and a collection of building blocks. Then we present the MemCPRSA andMemCPRSAPrm CP-SNARKs in Sections 4.2 and 4.3 respectively, and finally we give instantiationsfor some of our building blocks in Section 4.4.

Remark 4.1. Although we specifically describe our protocols for RSA groups, they generalize towork over any Hidden Order Group with slight modifications. See appendix E for details.

17

Setup(1λ) : Choose a prime order group Gq of orderq ∈ (2ν−1, 2ν) and generators g, h←$Gq.Return ck := (Gq, g, h)

Commit(ck, tq, u) : sample r←$Zq.Return (c, o) := (guhr, r).

VerCommit(ck, tq, c, u, r) : Output 1 if c = guhr; out-put 0 otherwise.

(a) PedCom

Setup(1λ, 1µ) : LetN ← GenSRSAmod(1λ), F ←$Z∗N ,and Hprime ←$H; computeG← F 2 mod N ∈ QRN .Return ck := (N,G,Hprime).

Commit(ck, tU , U) : compute P := {Hprime(u) | u ∈U}, Acc← GprodP . Return (c, o) := (Acc,∅).

VerCommit(ck, tU ,Acc, U,∅) : compute P := {Hprime(u) |u ∈ U} and return 1 iff Acc = GprodP mod N .

(b) SetComRSA

Fig. 4: RSA Accumulator and Pedersen commitment schemes for RSAHashmem.

4.1 Preliminaries and Building Blocks

Notation. Given a set U = {u1, . . . , un} ⊂ Z of cardinality n we denote compactly with prodU :=∏ni=1 ui the product of all its elements. We use capital letters for elements in an RSA group Z∗N ,

e.g., G,H ∈ Z∗N . Conversely, we use small letters for elements in a prime order group Gq, e.g.,g, h ∈ Gq. Following this notation, we denote a commitment in a prime order group as c ∈ Gq,while a commitment in an RSA group as C ∈ Z∗N .

Commitment Schemes. Our first CP-SNARK, called MemCPRSA, is for a family of relationsRmem : Delm × Dset such that Delm = {0, 1}η, Dset = 2Delm , and for a type-based commitmentscheme that is the canonical composition SetComRSA • PedCom of the two commitment schemesgiven in Fig. 4. PedCom is essentially a classical Pedersen commitment scheme in a group Gq ofprime order q such that q ∈ (2ν−1, 2ν) and η < ν. PedCom is used to commit to set elements and itstype is tq. SetComRSA is a (non-hiding) commitment scheme for sets of η-bit strings, that is builtas an RSA accumulator [Bd94, BP97] to a set of µ-bit primes, each derived from an η-bit string bya deterministic hash function Hprime : {0, 1}η → Primes

(2µ−1, 2µ

). SetComRSA is computationally

binding under the factoring assumption16 and the collision resistance of Hprime. Its type for sets istU .

Hashing to primes. The problem of mapping arbitrary values to primes in a collision-resistantmanner has been studied in the past, see e.g., [GHR99, CMS99, CS99], and in [FT14] a method togenerate random primes is presented. Although the main idea of our scheme would work with anyinstantiation of Hprime, for the goal of significantly improving efficiency, our construction considersa specific class of Hprime functions that work as follows. Let H : {0, 1}η × {0, 1}ι → {0, 1}µ−1 be acollision-resistant function, and define Hprime(u) as the function that starting with j = 0, looks forthe first j ∈ [0, 2ι − 1] such that the integer represented by the binary string 1|H(u, j) is prime.In case it reaches j = 2ι − 1 it failed to find a prime and outputs ⊥ 17. We consider two maincandidates of such function H (and thus Hprime):

– Pseudorandom function. Namely H(u, j) := Fκ(u, j) where Fκ : {0, 1}η+ι is a PRF with publicseed κ and ι = dlogµλe. Due to the density of primes, the corresponding Hprime runs in theexpected running time O(µ) and ⊥ is returned with probability ≤ exp(−λ) = negl(λ).18 Underthe random oracle heuristic, F can be instantiated with a hash function like SHA256.

16 Here is why: finding two different sets of primes P, P ′, P 6= P ′ such that GprodP = Acc = GprodP ′ implies finding aninteger α = prodP − prodP ′ 6= 0 such that Gα = 1. This is known to lead to an efficient algorithm for factoring N .

17 For specific instantiations of H, ι can be set so that ⊥ is returned with negligible probability.18 We assume for simplicity that the function never outputs ⊥, though it can happen with negligible probability.

18

– Deterministic map. H(u, j) := f(u) + j with u > 2η−1 and j ∈ (f(u), f(u + 1)), where f(u) :=2(u+ 2) log2(u+ 1)2. The corresponding function Hprime(u) is essentially the function that mapsto the next prime after f(u). This function is collision-free (indeed it requires to take µ > η)and generates primes that can be smaller (in expectation) than the function above. Cramer’sconjecture implies that the interval (f(u), f(u+1)) contains a prime when u is sufficiently large.

CP-NIZK for H computation and PedCom. We use a CP-NIZK CPHashEq for the relationRHashEq : {0, 1}µ × {0, 1}η × {0, 1}ι defined as

RHashEq(u1, u2, ω) = 1 ⇐⇒ u1 = (1|H(u2, ω))

and for the commitment scheme PedCom. Essentially, with this scheme one can prove that twocommitments ce and cu in Gq are such that ce = gehrq , cu = guhru and there exists j such thate = (1|H(u, j)). As it shall become clear in our security proof, we do not have to prove all theiterations of H until finding j such that (1|H(u, j)) = Hprime(u) is prime, which saves significantlyon the complexity of this CP-NIZK.

Integer Commitments. We use a scheme for committing to arbitrarily large integer values in RSAgroups introduced by Fujisaki and Okamoto [FO97] and later improved in [DF02]. We briefly recallthe commitment scheme. Let Z∗N be an RSA group. The commitment key consists of two randomlychosen generators G,H ∈ Z∗N ; to commit to any x ∈ Z one chooses randomly an r←$ [1, N/2] andcomputes C ← GxHr; the verifier checks whether or not C = ±GxHr. This commitment schemeis statistically hiding and computationally binding under the assumption that factoring is hardin Z∗N . Furthermore, a proof of knowledge of an opening was presented in [DF02], its knowledgesoundness was based on the strong RSA assumption, and later found to be reducible to the plainRSA assumption in [CPP17]. We denote this commitment scheme as IntCom.

Strong-RSA Accumulators. As observed earlier, our commitment scheme for sets is an RSAaccumulator Acc computed on the set of primes P derived from U through the map to primes, i.e.,P := {Hprime(s)|s ∈ U}. In our construction we use the accumulator’s feature for computing succinct

membership witnesses, which we recall works as follows. Given Acc = G∏ei∈P

ei := GprodP , the

membership witness for ek is Wk = G∏ei∈P\{ek}

ei , which can be verified by checking if W ekk = Acc.

Argument of Knowledge of a Root. We make use of a zero-knowledge non-interactive argumentof knowledge of a root of a public RSA group element Acc ∈ QRN . This NIZK argument is calledCPRoot. More precisely, it takes in an integer commitment to a e ∈ Z and then proves knowledge

of an e-th root of Acc, i.e., of W = Acc1e . More formally, CPRoot is a NIZK for the relation RRoot :

(Z∗N × QRN × N)× (Z× Z× Z∗N ) defined asRRoot ((Ce,Acc, µ), (e, r,W )) = 1 iff

Ce = ±GeHr mod N ∧ W e = Acc mod N ∧ |e| < 2λz+λs+µ+2

where λz and λs are the statistical zero-knowledge and soundness security parameters respectivelyof the protocol CPRoot. CPRoot is obtained by applying the Fiat-Shamir transform to a public-coin protocol that we propose based on ideas from the protocol of Camenisch and Lysysanskayafor proving knowledge of an accumulated value [CL02]. In [CL02], the protocol ensures that thecommitted integer e is in a specific range, different from 1 and positive. In our CPRoot protocolwe instead removed these constraints and isolated the portion of the protocol that only proves

19

knowledge of a root. We present the CPRoot protocol in Section 4.4; its interactive public coinversion is knowledge sound under the RSA assumption and statistical zero-knowledge. Finally, wenotice that the relation RRoot is defined for statements where Acc ∈ QRN , which may not beefficiently checkable given only N if Acc is adversarially chosen. Nevertheless CPRoot can be usedin larger cryptographic constructions that guarantee Acc ∈ QRN through some extra information,as is the case in our scheme.

Proof of Equality of Commitments in Z∗N and Gq. Our last building block, called CPmodEq,proves in zero-knowledge that two commitments, a Pedersen commitment in a prime order groupand an integer commitment in an RSA group, open to the same value modulo the prime orderq = ord(G). This is a conjunction of a classic Pedersen Σ-protocol and a proof of knowledge ofopening of an integer commitment [DF02], i.e. for the relation

RmodEq ((Ce, ce), (e, eq, r, rq)) = 1 iff e = eq mod q ∧ Ce = ±GeHr mod N ∧ ce = geq mod qhrq mod q

We present CPmodEq in Section 4.4.

4.2 Our CP-SNARK MemCPRSA

We are now ready to present our CP-SNARK MemCPRSA for set membership. The scheme is fullydescribed in Figure 5 and makes use of the building blocks presented in the previous section.

The KeyGen algorithm takes as input the commitment key of Com1 and a description of Rmem

and does the following: it samples a random generator H←$ QRN so that (G,H) define a key forthe integer commitment, and generate a CRS crsHashEq of the CPHashEq CP-NIZK.

For generating a proof, the ideas are similar to the ones informally described at the beginning ofSection 4 for the case when set elements are prime numbers. In order to support sets U of arbitrarystrings the main differences are the following: (i) we use Hprime in order to derive a set of primes Pfrom U , (ii) given a commitment cu to an element u ∈ {0, 1}η, we commit to e = Hprime(u) in ce;(iii) we use the previously mentioned ideas to prove that ce commits to an element in P (that iscorrectly accumulated), except that we replace the range proof πRange with a proof πHashEq that cuand ce commits to u and e respectively, such that ∃j : e = (1|H(u, j)).

Remark 4.2 (On the support of larger η.). In order to commit to a set element u ∈ {0, 1}η withthe PedCom scheme we require η < ν. This condition is actually used for ease of presentation. It isstraightforward to extend our construction to the case η ≥ ν, in which case every u should be splitin blocks of less than ν bits that can be committed using the vector Pedersen commitment.

The correctness of MemCPRSA can be checked by inspection: essentially, it follows from thecorrectness of all the building blocks and the condition that η, µ < ν. For succinctness, we observethat the commitments CU , cu and all the three proofs have size that does not depend on thecardinality of the set U , which is the only portion of the witness whose size is not a-priori fixed.

Proof of Security. Recall that the goal is to prove in ZK that cu is a commitment to an elementu ∈ {0, 1}η that is in a set U committed in CU . Intuitively, we obtain the security of our schemefrom the conjunction of proofs for relations RRoot, RmodEq and RHashEq: (i) πHashEq gives us that cecommits to eq = (1|H(u, j)) for some j and for u committed in cu. (ii) πmodEq gives that Ce commitsto an integer e such that e mod q = eq is committed in ce. (iii) πRoot gives us that the integer ecommitted in Ce divides prodP , where CU = GprodP with P = {Hprime(ui) : ui ∈ U}.

20

KeyGen(ck, R∈) : parse ck := ((N,G,Hprime), (Gq, g, h)) as the commitment keys of SetComRSA and PedComrespectively. Sample a random generator H.Generate crsHashEq ←$CPHashEq.KeyGen((Gq, g, h), RHashEq), a crs for CPHashEq.Return crs := (N,G,H,Hprime,Gq, g, h, crsHashEq).Given crs, one can define crsRoot := (N,G,H), crsmodEq := (N,G,H,Gq, g, h).

Prove(crs, (CU , cu), (U, u), (∅, ru)) : e← Hprime(u) = (1|H(u, j)), (ce, rq)← Com1.Commit(ck, tq, e).

(Ce, r)← IntCom.Commit((G,H), e); P ← {Hprime(u) : u ∈ U}, W = G∏ei∈P\{e}

ei .πRoot ← CPRoot.Prove(crsRoot, (Ce, CU , µ), (e, r,W ))πmodEq ← CPmodEq.Prove(crsmodEq, (Ce, ce), (e, e, r, rq))πHashEq ← CPHashEq.Prove(crsHashEq, (ce, cu), (e, u), (rq, ru), j)Return π := (Ce, ce, πRoot, πmodEq, πHashEq).

VerProof(crs, (CU , cu), π) : Return 1 iff CPRoot.VerProof(crsRoot, (Ce, CU , µ), πRoot) = 1 ∧CPmodEq.VerProof(crsmodEq, (Ce, ce), πmodEq) = 1 ∧ CPHashEq.VerProof(crsHashEq, (ce, cu), πHashEq) = 1.

Fig. 5: MemCPRSA CP-SNARK for set membership

By combining these three facts we would like to conclude that eq ∈ P that, together withπHashEq, should also guarantee u ∈ U . A first problem to analyze, however, is that for e we do nothave guarantees of a strict bound in

(2µ−1, 2µ

); so it may in principle occur that e = eq (mod q) but

e 6= eq over the integers. Indeed, the relation RRoot does not guarantee us that e is a single primenumber, but only that e divides the product of primes accumulated in CU . Assuming the hardnessof Strong RSA we may still have that e is the product of a few primes in P or even is a negativeinteger. We expose a simple attack that could arise from this: an adversary can find a product ofprimes from the set P , let it call e, such that e = eq (mod q) but e 6= eq over the integers. Sincee is a legitimate product of members of P , the adversary can efficiently compute the e-th root ofCU and provide a valid πRoot proof. This is what we informally call a “collision”. Another simpleattack would be that an adversary takes a single prime e and then commits to its opposite eq ← −emod q in the prime order group. Again, since e ∈ P the adversary can efficiently compute the e-throot of CU , W e = CU , and then the corresponding −e-th root of CU ,

(W−1

)−e= CU . This is a

second type of attack to achieve what we called “collision”. With a careful analysis we show thatwith appropriate parameters the probability that such collisions occur can be either 0 or negligible.

One key observation is that RRoot does guarantee a lower and an upper bound, −2λz+λs+µ+2

and 2λz+λs+µ+2 respectively, for e committed in Ce. From these bounds (and that e | prodP ) weget that an adversarial e can be the product of at most d = 1 + bλz+λs+2

µ c primes in P (or their

corresponding negative product). Then, if 2dµ ≤ 2ν−2 < q, or dµ+ 2 ≤ ν, we get that e < 2dµ < q.In case e > 0 and since q is prime, e = eq mod q ∧ e < q implies that e = eq over Z, namely nocollision can occur at all. In the other case e < 0 we have e > −2dµ and e = eq (mod q) impliese = −q + eq < −2ν−1 + 2µ < −2ν−1 + 2ν−2 = −2ν−2. Therefore, −2dµ < −2ν−2, which is acontradiction since we assumed dµ+ 2 ≤ ν. So this type of collision cannot happen.

If on the other hand we are in a parameters setting where dµ > ν−2, we give a concrete boundon the probability that such collisions occur. More precisely, for this case we need to assume thatthe integers returned by H are random, i.e., H is a random oracle, and we also use the implicit factthat RHashEq guarantees that eq ∈

(2µ−1, 2µ

). Then we give a concrete bound on the probability

that the product of d out of poly(λ) random integers lies in a specific range(2µ−1, 2µ

), which turns

out to be negligible when d is constant and 2µ−ν is negligible.

21

Since the requirements of security are slightly different according to the setting of parametersmentioned above, we state two separate theorems, one for each case.

Theorem 4.1. Let PedCom, SetComRSA and IntCom be computationally binding commitments,CPRoot, CPmodEq and CPHashEq be knowledge-sound NIZK arguments, and assume that the StrongRSA assumption hold, and that H is collision resistant. If dµ+2 ≤ ν, then MemCPRSA is knowledge-sound with partial opening of the set commitments CU .

Theorem 4.2. Let PedCom, SetComRSA and IntCom be computationally binding commitments,CPRoot, CPmodEq and CPHashEq be knowledge-sound NIZK arguments, and assume that the StrongRSA assumption hold, and that H is collision resistant. If dµ+2 > ν, d = O(1) is a small constant,2µ−ν ∈ negl(λ) and H is modeled as a random oracle, then MemCPRSA is knowledge-sound withpartial opening of the set commitments CU .

Remark 4.3. It is worth noting that Theorem 4.2 where we assume H to be a random oracle requiresa random oracle assumption stronger than usual; this has to do with the fact that while we assumeH to be a random oracle we also assume that CPmodEq can create proof about correct computationsof H. Similar assumptions have been considered in previous works, see, e.g, [Val08, Remark 2].

Finally, we state the theorem about the zero-knowledge of MemCPRSA.

Theorem 4.3. Let PedCom, SetComRSA and IntCom be statistically hiding commitments, CPRoot,CPmodEq and CPHashEq be zero-knowledge arguments. Then MemCPRSA is zero-knowledge.

Proof [sketch] The proof is rather straightforward, so we only provide a sketch. We define thesimulator S that takes as input (crs, CU , cu) and does the following:

– Parses crs := (N,G,H,Hprime,Gq, g, h, crsHashEq), from which it computes the correspondingcrsRoot := (N,G,H) and crsmodEq := (N,G,H,Gq, g, h).

– Samples at random C∗e ←$Z∗N and c∗e←$Gq.– Invokes SRoot(crsRoot, C

∗e , CU ), SmodEq(crsmodEq, C

∗e , c∗e) and SHashEq(crsHashEq, c

∗e, cu) the corre-

sponding simulators of CPRoot, CPmodEq and CPHashEq respectively. They output simulated proofπ∗Root, π

∗modEq and π∗HashEq respectively.

– S outputs (C∗e , c∗e, π∗Root, π

∗modEq, π

∗HashEq).

Let π := (Ce, ce, πRoot, πmodEq, πHashEq) ← Prove(crs, (CU , cu), (U, u), (∅, ru)) be the output of areal proof. Since IntCom and PedCom are statistically hiding C∗e and c∗e are indistinguishable fromCe and ce resp. Finally, since CPRoot, CPmodEq and CPHashEq are zero knowledge arguments π∗Root,π∗modEq and π∗HashEq are indistinguishable from πRoot, πmodEq and πHashEq resp. ut

Notation. We introduce some notation that eases our proofs exposition. Let U = {u1, . . . , un} ⊂ Zbe a set of cardinality n. We denote as prod a product of (an arbitrary number of) elements ofU , prod =

∏i∈I ui, for some I ⊆ [n]. Furthermore, ΠU = {prod1, . . . , prod2n−1} is the set of all

possible products and more specifically ΠU,d ⊆ ΠU denotes the set of possible products of exactlyd elements of U , |I| = d, while for the degenerate case of d > n we define ΠU,d = ∅. We note that|ΠU,d| =

(nd

)(except for the degenerate case where |ΠU,d| = 0). For convenience, in the special case

of prod ∈ ΠU,|U |, i.e. the (unique) product of all elements of U , we will simply write prodU . Finally,

for a J ⊆ [n] we let ΠU,J = ∪j∈JΠU,j ; for example ΠU,[1,...,d] = ∪dj=1ΠU,j is the set of all possible

22

products of up to d elements of U . For all of the above we also denote with ”−” the correspondingset of the opposite element, e.g. −ΠU = {−prod1, . . . ,−prod2n−1}

Proof [of Theorem 4.1] Let a malicious prover P∗, a PPT adversary of Knowledge Soundness withPartial Opening (see the definition in section 2.5) that on input (ck, Rmem, crs, auxR, auxZ) outputs(CU , cu, U, π) such that the verifier V accepts, i.e. VerProof(crs, CU , cu), π) = 1 and VerCommit(ck, tU ,CU , U,∅) = 1 with non-negligible probability ε. We will construct a PPT extractor E that on thesame input outputs a partial witness (u, rq) such that Rmem(U, u) = 1∧VerCommit(ck, tq, cu, u, rq) =1.

For this we rely on the Knowledge Soundness of CPRoot,CPmodEq and CPHashEq protocols. Eparses π := (Ce, ce, πRoot, πmodEq, πHashEq) and crs := (N,G,H,Hprime,Gq, g, h, crsHashEq), from whichit computes the corresponding crsRoot := (N,G,H) and crsmodEq := (N,G,H,Gq, g, h). Then con-structs an adversary ARoot for CPRoot Knowledge Soundness that outputs (Ce, CU , µ, πRoot). It is ob-vious that since V accepts π then it also accepts πRoot, i.e., CPRoot.VerProof(crsRoot, (Ce, CU , µ), πRoot) =1. From Knowledge Soundness of CPRoot we know that there is an extractor ERoot that out-puts (e, r,W ) such that Ce = ±GeHr (mod N) ∧W e = CU (mod N) ∧ |e| < 2λz+λs+µ+2. Sim-ilarly, E constructs adversaries AmodEq and AHashEq of protocols CPmodEq and CPHashEq respec-tively. And similarly there are extractors EmodEq and EHashEq that output (e′, eq, r

′, rq) such thate′ = eq (mod q)∧Ce′ = ±Ge′Hr′ (mod N)∧ceq = geq mod qhrq mod q and (e′q, u, r

′q, ru, j) such that

ce = ge′qhr

′q ∧ e′q = (1|H(u, j)) respectively.

From the Binding property of the integer commitment scheme we get that e = e′ and r = r′

(over the integers), unless with a negligible probability. Similarly, from the Binding property of thePedersen commitment scheme we get that eq = e′q (mod q) and rq = r′q (mod q), unless with a neg-ligible probability. So if we put everything together the extracted values are (e, r,W, eq, rq, u, ru, j)such that:

W e = CU (mod N) ∧ |e| < 2λz+λs+µ+2 ∧ e = eq (mod q) ∧ eq = (1|H(u, j))

and additionally

Ce = ±GeHr ∧ ce = geq mod qhrq mod q ∧ VerCommit(ck, tq, cu, u, ru) = 1

From VerCommit(ck, tU , CU , U,∅) = 1 we infer that CU = GprodP , where P := {Hprime(u) |u ∈ U}. From the strong RSA assumption since W e = CU = GprodP (mod N) we get e ∈ ΠP ore ∈ −ΠP , unless with a negligible probability (see appendix A.1).

Since, all the elements of P are outputs of Hprime they have exactly bitlength µ, that is 2µ−1 <ei < 2µ for each ei ∈ P . This means that e is a (±) product of µ-sized primes. Let |e| be a productof ` primes, meaning that 2`(µ−1) < |e| < 2`µ, and d := bλz+λs+µ+2

µ c. From |e| < 2λz+λs+µ+2 we get

that 2`µ < 2λz+λs+µ+2 ⇒ ` < d which means that e ∈ ΠP,[1,...,d] or e ∈ −ΠP,[1,...,d] (i.e. e is a (±)product of at most d primes).

First we show that e ∈ ΠP , i.e., that e cannot be negative. Let e ∈ −ΠP,[1,...,d]. We use the fact

that e = eq (mod q), so e ≤ −q + eq < −2ν−1 + 2µ < −2ν−1 + 2ν−2 = −2ν−2. Since −2dµ < ethis leads to −2dµ < −2ν−2 which contradicts the assumption dµ + 2 ≤ ν (we used the fact thateq = (1|H(u, j)) to conclude that 2µ−1 < eq < 2µ, which comes from the definition of H). So e > 0or e ∈ ΠP,[1,...,d].

Recall that e < 2dµ. From the assumption dµ+ 2 ≤ ν which means that e < 2dµ < 2ν−2 < q ⇒e < q. Since e = eq (mod q) and e < q this means that e = eq over the integers. Again we are using

23

the fact that eq = (1|H(u, j)) to conclude that 2µ−1 < eq < 2µ, which comes from the definition ofH, and combined with e = eq we get that 2µ−1 < e < 2µ. The last fact means that e ∈ ΠP,{1} (i.e.e is exactly one prime from P ) otherwise it would exceed 2µ, so e ∈ P .

Finally, e = eq = (1|H(u, j)) = Hprime(u) ∈ P = {Hprime(u1), . . . ,Hprime(un)}, where U :={u1, . . . , un}. This means that there is an i such that Hprime(u) = Hprime(ui). From collision resistanceof Hprime we infer that u = ui. So we conclude that u ∈ U or Rmem(U, u) = 1 and as shown aboveVerCommit(ck, tq, cu, u, ru) = 1. ut

Collision Finding Analysis For the second theorem we cannot count on the formula dµ+ 2 ≤ νthat ensures that the extracted integer e lies inside [0, q − 1]. As explained above, we can onlyrely on the randomness of each prime to avoid the described ”collisions”. First, we formally definewhat a ”collision” is through a probabilistic experiment, CollisionFinding, and then we compute aconcrete bound for the probability that this event happens, i.e. the experiment outputs 1. Finally,we state a theorem that shows this probability is asymptotically negligible under the assumptionthat 2µ−ν is a negligible value (and d is a constant).

CollisionFinding(µ, d,Gq, n)

Let P ⊆ Primes(2µ−1, 2µ

)be a randomly chosen set of cardinality n, i.e. each e ∈ P is chosen

uniformly at random, ei←$ Primes(2µ−1, 2µ

)meaning that:

1. ei is prime.2. 2µ−1 ≤ ei ≤ 2µ

3. Pr[ei = x] = µ2µ + negl(λ) for each x ∈ Primes

(2µ−1, 2µ

)The output of the experiment is 1 iff there exists prod ∈

(ΠP,[2,d] ∪ −ΠP,[2,d]

)such that

(prod mod q) ∈(2µ−1, 2µ

)Lemma 4.1. Let Gq be a prime order group of order q ∈

(2ν−1, 2ν

)and µ such that µ < ν then

Pr[CollisionFinding(µ, d,Ge, n) = 1] ≤ 2 ·∑d

j=2

(nj)2(j+1)µ−j−ν(2j−1)2jµ−j(µ−1)j

−(nj)

Proof First we will prove it for positive products, that is we bound the probabilityPr[CollisionFinding(µ, d,Ge, n) = 1|prod ∈ ΠP,[2,d]]. Let prod = q1...qj be a product of exactly jprimes for a 2 ≤ j ≤ d. Since qi ∈

(2µ−1, 2µ

)we get prod = q1...qj ∈

(2jµ−j , 2jµ

). Also Z∗q is cyclic

so we know that at most⌈∣∣(2jµ−j , 2jµ)∣∣q

⌉=

⌈2jµ − 2jµ−j

q

⌉=

⌈2jµ−j · (2j − 1)

q

⌉≤ 2jµ−j−ν+1 · (2j − 1)

integers in(2jµ−j , 2jµ

)are equal to c modulo q, for any c ∈ {0, 1, ..., q − 1}.

We are interested in the interval(2µ−1, 2µ

)modulo q. From the previous we get that at most

2jµ−j−ν+1 · (2j − 1) ·∣∣(2µ−1, 2µ)∣∣ = 2jµ−j−ν+1 · (2j − 1) · 2µ−1 = 2(j+1)µ−j−ν(2j − 1) integers in the

24

range of(2jµ−j , 2jµ

)are “winning” integers for the adversary, meaning that after modulo q they

are mapped to the winning interval(2µ−1, 2µ

).

From the distribution of primes we know that the number of primes in(2µ−1, 2µ

)is ap-

proximately 2µ−1

µ−1 . So there are (approximately)(2µ−1

µ−1

)j= 2jµ−j

(µ−1)j different products of j primes

from Primes(2µ−1, 2µ

)in(2jµ−d, 2jµ

). This leads us to the combinatorial experiment of choice of

B = 2jµ−j

(µ−1)j “balls”, with T = 2(j+1)µ−j−ν(2j − 1) “targets” and X =(nj

)“tries” without replace-

ment, where “balls” are all possible products, “targets” are the ones that go to(2µ−1, 2µ

)modulo

q (the winning ones) and tries are the number of products (for a constant j) that the adversarycan try. The “without replacement” comes from the fact that all products are different. The finalwinning probability is:

Pr[prod mod q ∈(2µ−1, 2µ

)∧ prod ∈ ΠP,j ] ≤

T

B+

T

B − 1+

T

B − 2+ . . .+

T

B −X

≤ X · T

B −X

=

(nj

)2(j+1)µ−j−ν(2j − 1)

2jµ−j

(µ−1)j −(nj

)By applying the union bound for all j’s we get:


)∧ prod ∈ ΠP,[2,d]] ≤

d∑j=2

(nj

)2(j+1)µ−j−ν(2j − 1)

2jµ−j

(µ−1)j −(nj

)By using the same arguments for negative products we would conclude that


)∧ prod ∈ −ΠP,[2,d]] ≤

d∑j=2

(nj

)2(j+1)µ−j−ν(2j − 1)

2jµ−j

(µ−1)j −(nj

)Therefore

Pr[CollisionFinding(µ, d,Ge, n) = 1] =Pr[CollisionFinding(µ, d,Ge, n) = 1 ∧ prod ∈ ΠP,[2,d]]+

+Pr[CollisionFinding(µ, d,Ge, n) = 1 ∧ prod ∈ −ΠP,[2,d]] =

≤2 ·d∑j=2

(nj

)2(j+1)µ−j−ν(2j − 1)

2jµ−j

(µ−1)j −(nj

)ut

Theorem 4.4. Let Gq be a prime order group of order q ∈(2ν−1, 2ν

), µ such that 2µ−ν ∈ negl(λ),

d constant and n = poly(λ) then Pr[CollisionFinding(µ, d,Gq, n) = 1] ∈ negl(λ)

Proof Now n = poly(λ) so the set P is polynomially bounded. Due to lemma 4.1 it is straight-

forward that Pr[CollisionFinding(µ, d,Gq, n) = 1] ≤∑d

j=2

(nj)2(j+1)µ−j−ν(2j−1)2jµ−j(µ−1)j

−(nj). Since d is constant,

for any j ∈ [2, d](nj

)= O(nj) and we get:

25

2 ·(nj

)2(j+1)µ−j−ν(2j − 1)

2jµ−j

(µ−1)j −(nj

) = 2 · O(nj)2(j+1)µ−j−ν(2j − 1)2jµ−j

(µ−1)j −O(nj)

= 2 · O(nj)(2j − 1)(µ− 1)j

2jµ−j

2(j+1)µ−j−ν −O(nj)(µ−1)j2(j+1)µ−j−ν

O(nj)(2j − 1)(µ− 1)j = poly(λ) and O(nj)(µ−1)j2(j+1)µ−j−ν = negl(λ). Also 2jµ−j

2(j+1)µ−j−ν = 2ν−µ, therefore for j

we get a probability bounded by poly(λ)2µ−ν

1−negl(λ)2µ−ν = negl(λ) by assumption.

Finally, Pr[CollisionFinding(µ, d,Gq, n) = 1] ≤ (d− 1) · negl(λ) = negl(λ). ut

Remark 4.4. For the sake of generality, in CollisionFinding we do not specify how the random primesare generated. In practice in our scheme they are outputs of the hash function Hprime that we modelas a random oracle.

Now we are ready to give the proof of theorem 4.2:

Proof [of theorem 4.2] The proof is almost the same as the one of Theorem 4.1 except for thenext-to-last paragraph, i.e. the justification of e ∈ ΠP,{1}. Since dµ+ 2 > ν we cannot use the samearguments to conclude to it. However, still e ∈

(ΠP,[1,...,d] ∪ −ΠP,[1,...,d]

).

Let e ∈(ΠP,[1,...,d] ∪ −ΠP,[1,...,d]

), it is straightforward to reduce this case to the the collision

finding problem. Assume that the adversary P∗ made qH random oracle queries to H and let QH

be the set of answers she received. Further assume that exactly qHprimeof the them are primes and

let QHprimebe the set of them. We note that P ⊆ QHprime

, unless a collision happened in H.

Now let QHprimebe the set of the CollisionFinding(µ, d,Gq, |QHprime

|) experiment. It satisfies allthree conditions since each ei ∈ QHprime

is an output of Hprime. Therefore ei is prime, 2µ−1 <ei < 2µ and since H is modeled as a random oracle the outputs of Hprime are uniformly dis-tributed in Primes

(2µ−1, 2µ

). Then for the extracted e, we know that e = eq (mod q) ∈

(2µ−1, 2µ

)and from the assumption e ∈

(ΠP,[1,...,d] ∪ −ΠP,[1,...,d]

), which (as noted above) means that e ∈(

ΠQHprime,[2,...,d] ∪ −ΠQHprime

,[2,...,d]

). So CollisionFinding(µ, d,Gq, |QHprime

|) = 1. Since the adversary is

PPT |QHprime| = poly(λ). Also, d = O(1) and 2µ−ν ∈ negl(λ) (from the assumptions of the theorem)

so the previous happens with a negligible probability according to theorem 4.4. So we concludethat, unless with a negligible probability, e ∈ ΠP,{1}. ut

4.3 Our CP-SNARK for Set Membership for Primes Sets

In this section we show a CP-SNARK for set membership MemCPRSAPrm that supports set ele-ments that are prime numbers of exactly µ bits, i.e., Delm = Primes(2µ−1, 2µ), and Dset = 2Delm .MemCPRSAPrm works for a type-based commitment scheme Com2 that is the canonical compositionSetComRSA′ •PedCom where SetComRSA′ is in Fig. 6 (it is essentially a simplification of SetComRSA

since elements are already primes).

The scheme MemCPRSAPrm is described in figure 7. Its building blocks are the same as theones for MemCPRSA except that instead of a CP-NIZK for proving correctness of a map-to-prime

26

Setup(1λ, 1µ) : Sample an RSA modulus N ← GenSRSAmod(1λ), a generator F ←$Z∗N , compute G← F 2 modN ∈ QRN . Return ck := (N,G).

Commit(ck, tU , U) : compute Acc← GprodP . Return (c, o) := (Acc,∅).

VerCommit(ck, tU ,Acc, U,∅) : Return 1 if for all ei ∈ P ei ∈ Primes(2µ−1, 2µ

)and Acc = GprodP mod N , and 0

otherwise.

Fig. 6: SetComRSA′ Commitment to Sets.

KeyGen(ck, R∈) : parse ck := ((N,G), (Gq, g, h)) as the commitment keys of SetComRSA′ and PedCom respec-tively. Sample a random generator H.Generate crsRange ←$CPRange.KeyGen((Gq, g, h), RRange), a crs for CPRange.Return crs := (N,G,H,Gq, g, h, crsRange).Given crs, one can define crsRoot := (N,G,H), crsmodEq := (N,G,H,Gq, g, h).

Prove(crs, (CP , ce), (P, e), (∅, rq)) :(Ce, r)← IntCom.Commit((G,H), e)

W = G∏ei∈P\{e}

ei .πRoot ← CPRoot.Prove(crsRoot, (Ce, CP , µ), (e, r,W ))πmodEq ← CPmodEq.Prove(crsmodEq, (Ce, ce), (e, e, r, rq))πRange ← CPRange.Prove(crsRange, (2

µ−1, 2µ), ce, e, rq)Return π := (Ce, πRoot, πmodEq, πRange).

VerProof(crs, (CP , ce), π) : Return 1 iffCPRoot.VerProof(crsRoot, (Ce, CP , µ), πRoot) = 1 ∧ CPmodEq.VerProof(crsmodEq, (Ce, ce), πmodEq) = 1 ∧CPRange.VerProof(crsRange, ce, πRange) = 1.

Fig. 7: MemCPRSAPrm CP-SNARK for set membership

27

computation, we use a CP-NIZK for range proofs. Namely, we let CPRange be a NIZK for thefollowing relation on PedCom commitments c and two given integers A < B:

RRange ((ce, A,B), (e, rq)) = 1 iff c = gehrq ∧ A < eq < B

The idea behind the security of the scheme is similar to the one of the MemCPRSA scheme. Themain difference is that here we rely on the range proof πRange in order to “connect” the Pedersencommitment ce to the accumulator. In particular, in order to argue the absence of possible collisionshere we assume that dµ+2 ≤ ν holds, namely we argue security only for this setting of parameters.It is worth noting that in applications where Delm is randomly chosen subset of Primes

(2µ−1, 2µ

),

we could argue security even when dµ + 2 > ν, in a way similar to Theorem 4.2. We omit theanalysis of this case from the paper.

Theorem 4.5. Let PedCom, SetComRSA′ and IntCom be computationally binding commitments,CPRoot, CPmodEq and CPRange be knowledge-sound NIZK arguments, and assume that the StrongRSA assumption hold. If dµ+2 ≤ ν, then MemCPRSAPrm is knowledge-sound with partial opening ofthe set commitments cP . Furthermore, if PedCom, SetComRSA′ and IntCom are statistically hidingcommitments, and CPRoot, CPmodEq and CPRange be zero-knowledge, then MemCPRSAPrm is zero-knowledge.

Proof [of Theorem 4.5] Knowledge Soundness with Partial Opening of CP : the proof is

similar to the one of theorem 4.1 except for some minor parts.

Let a malicious prover P∗, a PPT adversary of Knowledge Soundness with Partial Opening (see thedefinition in section 2.5) that on input (ck, Rmem, crs, auxR, auxZ) outputs (CP , ce, P, π) such thatthe verifier V accepts, i.e. VerProof(crs, CP , ce), π) = 1 and VerCommit(ck, tU , CP , P,∅) = 1 withnon-negligible probability ε. We will construct a PPT extractor E that on the same input outputsa partial witness (e, r) such that Rmem(P, e) = 1 ∧ VerCommit(ck, tq, ce, e, r) = 1.

For this we rely on the Knowledge Soundness of CPRoot,CPmodEq and CPRange protocols. E parsesπ := (Ce, πRoot, πmodEq, πRange) and crs := (N,G,H,Hprime,Gq, g, h, crsRange), from which it com-putes the corresponding crsRoot := (N,G,H) and crsmodEq := (N,G,H,Gq, g, h). Then constructsan adversary ARoot for CPRoot Knowledge Soundness that outputs (Ce, CP , µ, πRoot). It is obviousthat since V accepts π then it also accepts πRoot, i.e., CPRoot.VerProof(crsRoot, (Ce, CP , µ), πRoot) = 1.From Knowledge Soundness of CPRoot we know that there is an extractor ERoot that outputs (e, r,W )such that Ce = ±GeHr (mod N)∧W e = CP (mod N)∧e < 2λz+λs+µ+2. Similarly, E constructs ad-versaries AmodEq and ARange of protocols CPmodEq and CPRange respectively. And similarly there areextractors EmodEq and ERange that output (e′, eq, r

′, rq) such that e′ = eq (mod q) ∧ Ce′ = ±Ge′Hr′

(mod N)∧ceq = geq mod qhrq mod q and (e′q, r′q) such that ce = ge

′qhr

′q ∧2µ−1 < e′q < 2µ respectively.

From the Binding property of the integer commitment scheme we get that e = e′ and r = r′

(over the integers), unless with a negligible probability. Similarly, from the Binding property of thePedersen commitment scheme we get that eq = e′q (mod q) and rq = r′q (mod q), unless with anegligible probability. So if we put everything together the extracted values are (e, r,W, eq, rq) suchthat:

W e = CP (mod N) ∧ e < 2λz+λs+µ+2 ∧ e = eq (mod q) ∧ 2µ−1 < eq < 2µ

and additionally

Ce = ±GeHr ∧ ce = geq mod qhrq mod q

28

From VerCommit(ck, tU , CP , P,∅) = 1 we infer that CP = GprodP , where for each ei ∈ P it holdsthat e ∈ Primes

(2µ−1, 2µ

). From the strong RSA assumption since W e = CP = GprodP (mod N)

we get e ∈ ΠP , unless with a negligible probability (see appendix A.1).The rest of the analysis that justifies e ∈ P is identical to the one of the proof of theorem 4.1.

So e ∈ P and as shown above VerCommit(ck, tq, ce, eq, rq) = 1.

Zero Knowledge: For the Zero Knowledge Property we rely on similar techniques with the onesof the proof of theorem 4.3 except for the use of SHashEq. Here we use instead the simulator of theCPRange protocol, SRange. ut

4.4 Proposed Instantiations of Protocols for RRoot and RmodEq

Root protocol

On common reference string crs = (Z∗N , G,H)

Prove(crs, (Ce, Acc), (e, r, w)) :1. samples r2, r3 ←$ (−bN/4c , bN/4c) and computes CW ←WHr2 , Cr ← Gr2Hr3 .2. Computes the non-interactive version of the above protocol

re ←$(−2λz+λs+µ, 2λz+λs+µ

), rr, rr2 , rr3 ←$

(−bN/4c 2λz+λs , bN/4c 2λz+λs

)rβ , rδ ←$

(−bN/4c 2λz+λs+µ, bN/4c 2λz+λs+µ

)α1 ← GreHrr , α2 ← Grr2Hrr3 , α3 ← CreW

(1H

)rβ , α4 ← Crer ( 1H

)rδ(

1G

)rβc← H(α1, α2, α3, α4, Ce, Acc)se ← re − ce, sr ← rr − cr, sr2 ← rr2 − cr2, sr3 ← rr3 − crr3 , sβ ← rβ − cer2, sδ ← rδ − cer3

Returns π ← (CW , Cr, α1, α2, α3, α4, se, sr, sr2 , sr3 , sβ , sδ)

VerProof(crs, (Ce, Acc), π) : returns 1 iff α1 = CceGseHsr ∧ α2 = CcrG

sr2Hsr3 ∧ α3 = AcccCseW(

1H

)sβ ∧ α4 =

Cser(

1H

)sδ ( 1G

)sβ ∧ se ∈ [−2λ+λs+µ+1, 2λ+λs+µ+1]

Fig. 8

Protocol CPRoot. We first give a protocol CPRoot′ for a simpler version of the Root relation inwhich the upper bound on e is removed; let us call RRoot′ this relation.

Below is an interactive ZK protocol for RRoot′ :

1. Prover computes a W such that W e = Acc and CW = WHr2 , Cr = Gr2Hr3 and sends to theverifier:P → V : CW , Cr

2. Prover and Verifier perform a protocol for the relation:R((Ce, Cr, CW , Acc), (e, r, r2, r3, β, δ)) = 1 iff

Ce = GeHr ∧ Cr = Gr2Hr3 ∧Acc = CeW

(1

H

)β∧ 1 = Cer

(1

H

)δ ( 1

G

)βLet λs be the size of the challenge space, λz be the statistical security parameter and µ the sizeof e.

29

– Prover samples:

re←$

(−2λz+λs+µ, 2λz+λs+µ

)rr, rr2 , rr3 ←$


)rβ, rδ←$


)and computes:

α1 = GreHrr , α2 = Grr2Hrr3 , α3 = CreW

(1

H

)rβ, α4 = Crer (

1

H)rδ(

1

G

)rβP → V : (α1, α2, α3, α4)

– Verifier samples the challenge c← {0, 1}λsV → P : c

– Prover computes the response:

se = re − cesr = rr − cr, sr2 = rr2 − cr2, sr3 = rr3 − crr3sβ = rβ − cer2, sδ = rδ − cer3

P → V : (se, sr, sr2 , sr3 , sβ, sδ)

– Verifier checks if:

α1?= CceG

seHsr , α2?= CcrG

sr2Hsr3 , α3?= AcccCseW

(1

H

)sβ, α4

?= Cser

(1

H

)sδ ( 1

G

)sβTheorem 4.6. Let Z∗N be an RSA group where strong-RSA assumption holds, then the above pro-tocol is a correct, knowledge sound and honest-verifier zero knowledge protocol for RRoot′.

The proof of the above is similar to the one of [CL02] where the more specific protocol wasintroduced, but implicitly was including a protocol for RRoot′ . Before proceeding to the proof werecall some properties related to RSA groups. First we expose two standard arguments. The first isthat obtaining a multiple of φ(N) is equivalent to factoring N . This directly allows us to argue thatfor any G ∈ Z∗N , if one is able to find an x ∈ Z such that Gx = 1 (mod N) then under the factoringassumption x = 0, otherwise x is a multiple of φ(N). Secondly, finding any non-trivial solution ofthe equation µ2 = 1 (mod N) in Z∗N (non-trivial means µ 6= ±1) is equivalent to factoring N .

Remark 4.5. In 2017 Couteau et al. proved that in fact knowledge soundness for the protocol ofopening an integer commitment can be reduced to (plain) RSA problem [CPP17]. This could beinherited to our protocol too. However, the relation itself assumes strong RSA’s hardness, otherwisefinding a root would be computable in polynomial time. Additionally, in the reduction to (plain)RSA, the extractor’s probability of success is cubic, while in the reduction to strong RSA linear, inthe adversary’s probability of success.

Proposition 4.1. Let Z∗N be an RSA group with a modulus N and QRN the corresponding groupof quadratic residues modulo N .

30

1. Let G,H←$ QRN two random generators of QRN and a PPT adversary A outputting α, β ∈ Z∗Nsuch that GαHβ = 1 then under the assumption that DLOG problem is hard in QRN it holdsthat α = β = 0.

2. Let A,B ∈ Z∗N and a PPT adversary A outputting x, y ∈ Z∗N such that Ay = Bx and y | x then

under the assumption that factoring of N is hard it holds that A = ±Bxy

Proof

1. Since G,H ∈ QRN there is an x ∈ Z∗N such that G = Hx (mod N) which leads to Hxα+β = 1.As we discussed above under the assumption that factoring of N is hard, xα+ β = 0. If α 6= 0then x ← −β

α is a discrete logarithm of H, so assuming that DLOG is hard α = 0. Similarly,there is an y ∈ Z∗N such that Gy = H (mod N) and with a similar argument we can concludethat β = 0.

2. We discern two cases, y = ρ is odd or y = 2vρ is even (for an odd ρ). In case y is odd then itis co-prime with φ(N) = p′q′ (otherwise if y = p′ or y = q′ we would be able to factor N), so

y−1 (mod φ(N)) exists and A = Bxy . If y = 2vρ then

(A−1B

xy

)y= 1 ⇒

(A−1B

xy

)2vρ= 1 ⇒(

A−1Bxy

)2v= 1. From the second fact that we discussed above under the factoring assumption(

A−1Bxy

)2v−1

= ±1. However for v > 1 the left part of the equation is a quadratic residue so it

cannot be −1, therefore(A−1B

xy

)2v−1

= 1. Using the same facts repeatedly we will eventually

conclude that(A−1B

xy

)2= 1, hence A−1B

xy = ±1⇒ A = ±B

xy .

ut

Proof [proof of theorem 4.6] Correctness is straightforward. Honest-verifier zero knowledge canbe shown with standard arguments used in Σ-protocols and the fact that the commitments toCe, CW , Cr are statistically hiding. That is the simulator S on input (Ce,Acc) samples C∗W ←$Z∗Nand C∗r ←$Z∗N . Then samples

s∗e←$

(−2λz+λs+µ − 2λz+µ, 2λz+λs+µ + 2λz+µ

),

s∗r , s∗r2 , s

∗r3 ←$

(−bN/4c 2λz+λs − bN/4c 2λs , bN/4c 2λz+λs + bN/4c 2λs

),

s∗β, s∗δ ←$

(−bN/4c 2λz+λs+µ − bN/4c 2λs+µ, bN/4c 2λz+λs+µ + bN/4c 2λs+µ

).

Finally it samples c∗←$ {0, 1}λs . Then it sets α∗1 ← CceGseHsr , α∗2 ← CcrG

sr2Hsr3 , α∗3 ← AcccCseW(1H

)sβand α∗4

?= Cser

(1H

)sδ ( 1G

)sβ . S outputs π∗ ← (C∗W , C∗r , α

∗1, α∗2, α∗3, α∗4, c∗, s∗e, s

∗r , s∗r2 , s

∗r3 , s

∗β, s∗δ). The

distribution of π∗ is identical to the one of a real proof π.For the knowledge soundness, let an adversary of the knowledge soundness A that is able to

convince the verifier V with a probability at least ε. We will construct an extractor E that extractsthe witness (e, r, r2, r3, β, δ). Using rewinding E gets two accepted transcripts

(CW , Cr, α1, α2, α3, α4, c, se, sr, sr2 , sr3 , sβ, sδ) and (CW , Cr, α1, α2, α3, α4, c′, s′e, s

′r, s′r2 , s

′r3 , s

′β, s′δ)

on two different challenges c and c′. E aborts if it cannot get two such transcripts (abort1).

31

We denote ∆c := c′−c,∆se := se−s′e, ∆sr := sr−s′r, ∆sr2 := sr2−s′r2 , ∆sr3 := sr3−s′r3 , ∆sβ :=sβ − s′β, ∆sδ := sδ − s′δ then

C∆ce = G∆seH∆sr , C∆cr = G∆sr2H∆sr3 ,Acc∆c = C∆seW

(1

H

)∆sβ, 1 = C∆ser

(1

H

)∆sδ ( 1

G

)∆sβDefine the (possibly rational) numbers e := ∆se

∆c , r := ∆sr∆c , r2 :=

∆sr2∆c , r3 :=

∆sr3∆c . In case ∆c

doesn’t divide ∆se and ∆sr, E aborts (abort 2a). Similarly, in case ∆c doesn’t divide ∆sr2 and∆sr3 , E aborts (abort 2b). Therefore, since the above aborts didn’t happen and according to secondpoint of proposition 4.1, Ce = ±GeH r and Cr = ±Gr2H r3 .

Now if we replace Cr in the fourth equation we get 1 = (±1)∆seGr2∆seH r3∆se(1H

)∆sδ ( 1G

)∆sβor (±1)∆seGr2∆se−∆sβH r3∆se−∆sδ = 1. However, (±1)∆se = 1 otherwise if (±1)∆se = −1 then−Gr2∆se−∆sβH r3∆se−∆sδ would be a non-quadratic residue (since G,H are both in QRN and QRNis closed under multiplication) equal to 1 which is a quadratic residue and this would be a contra-diction, hence Gr2∆se−∆sβH r3∆se−∆sδ = 1. According to the first point of proposition 4.1, underthe factoring assumption r2∆se −∆sβ = r3∆se −∆sδ = 0, so r2∆se = ∆sβ.

Finally we replace ∆sβ in the third equation and we get Acc∆c = C∆seW

(1H

)r2∆se ⇒ Acc∆c =(CwH r2

)∆se. As stated above ∆c divides ∆se so according to the second point of proposition 4.1

Acc = ±(CWH r2

)∆se∆c

= ±(CWH r2

)e. We discern three cases:

– Acc = +(CWH r2

)∆se∆c

: Then E sets W ← CWH r2

and e← e := ∆se∆c r ← r := ∆sr

∆c as above. It is clear

that Acc = W e and as stated above Ce = GeH r.

– Acc = −(CWH r2

)∆se∆c

and ∆se∆c odd: Then E sets W ← − CW

H r2and e ← e := ∆se

∆c r ← r := ∆sr∆c as

above. It is clear that Acc = W e and as stated above Ce = GeH r.

– Acc = −(CWH r2

)∆se∆c

and ∆se∆c even: this means that Acc is a non-quadratic residue, which is a

contradiction since in the RRoot′ relation we assume that Acc ∈ QRN .

Finally the E outputs (e, r, W ).Now we show that the probability the extractor terminates with outputting a valid witness

is O(ε). If the extractor does not abort then it clearly outputs a valid witness (under factoringassumption). For the first abort, with a standard argument it can be shown that the extractor isable to extract two accepting transcripts with probability O(ε) (for the probabilistic analysis werefer to [DF02]). Thus Pr[abort1] = 1−O(ε). For the second type of aborts (abort 2a and abort 2b),they happen with negligible probability under the strong RSA assumption. For the details seelemma 4.2 below, which was proven in [DF02]. Putting them together the probability of success ofE is at least O(ε)− negl(λs).

Lemma 4.2 ([DF02]). Given that abort 2a occurs a PPT adversary B can solve the strong RSAproblem with probability at least 1

2 − 2−λs.

From the above we get Pr[B solves sRSA] ≥(12 − 2−λs

)Pr[abort 2a], so we conclude to Pr[abort 2a] ≤

112−2−λs Pr[B solves sRSA] = negl(λs). The same lemma holds for abort 2b. ut

32

Notice in the above protocol that

−2λz+λs+µ − 2λs+µ ≤ se ≤ 2λz+λs+µ + 2λs+µ ⇒

−2λz+λs+µ+1 ≤ se ≤ 2λz+λs+µ+1 ⇒

−2λz+λs+µ+2 ≤ ∆se ≤ 2λz+λs+µ+2 ⇒

−2λz+λs+µ+2 ≤ e ≤ 2λz+λs+µ+2

so if we impose an additional verification check of honest se size, i.e., se ∈[−2λz+λs+µ+1, 2λz+λs+µ+1

],

we get that |e| ≤ 2λz+λs+µ+2. The verifier performs an extra range check se?∈[−2λz+λs+µ+1, 2λz+λs+µ+1

]and the resulting protocol is the CPRoot that except for proving of knowledge of an e-th root alsoprovides a bound for the size of |e|:

RRoot ((Ce, Acc, µ), (e, r,W )) = 1 iff Ce = ±GeHr (mod N)∧W e = Acc (mod N)∧|e| < 2λz+λs+µ+2

Protocol CPmodEq. Below we describe the public-coin ZK protocol for RmodEq. In Figure 9 wesummarize the corresponding NIZK obtained after applying the Fiat-Shamir transform to it.

1. Prover samples:

re ←(−2λz+λs+µ, 2λz+λs+µ

)rr ←


)rrq ← Zq

and computes:

α1 = GreHrr , α2 = gre (mod p)hrrq

P → V : (α1, α2)2. Verifier samples the challenge c← {0, 1}λsV → P : c

3. Prover computes the response:

se = re − cesr = rr − crsrq = rrq − crq (mod q)

P → V : (se, sr, srq)4. Verifier checks if:

α1?= ±CceGseHsr (mod N), α2

?= cceqg

se (mod q)hsrq

Theorem 4.7. Let Z∗N be an RSA group where strong-RSA assumption holds and G be a primeorder group where DLOG assumption holds then the above protocol is a correct, knowledge soundand honest-verifier zero knowledge protocol for RmodEq.

The proof is quite simple and is omitted.

33

modEq protocol

On common reference string crs = (Z∗N , G,H,G, g, h)

Prove(crs, (Ce, ceq ), (e, eq, r, rq)) :re ←$


), rr ←$


), rr′ ←$Zq

α1 ← GreHrr , α2 ← gre (mod q)hrr′

c← H(α1, α2, Ce, ceq )se ← re − ce, sr ← rr − cr, sr′ ← rrq − crq (mod q)Returns π ← (α1, α2, se, sr, srq )

VerProof(crs, (Ce, ceq ), π) : returns 1 iff α1 = ±CceGseHsr (mod N) ∧ α2 = cceqgse (mod q)hsrq

Fig. 9

4.5 Instantiations

We discuss the possible instantiations of our schemes MemCPRSA and MemCPRSAPrm that can beobtained by looking at applications’ constraints and security parameters constraints.

Parameters for dµ+ 2 ≤ ν and µ ≤ ν − 2. First we analyze possible parameters that satisfy theconditions dµ+2 ≤ ν∧µ ≤ ν−2 that is used in Theorems 4.1 and 4.2; we recall d = 1+bλz+λs+2

µ c,where λz and λs are statistical security parameters for zero-knowledge and soundness respectivelyof CPRoot.

If the prime order group Gq is instantiated with (pairing-friendly) elliptic curves, then the bitsizeν of its order must be at least 2λ. And recall that for correctness we need µ < ν.

Considering these constraints, one way to satisfy dµ + 2 ≤ ν is to choose µ such that ν − 1 >µ > λz + λs + 2. More specifically, a choice that maximizes security is ν = 2λ, µ = 2λ − 2 andλz = λ − 3, λs = λ − 2. For the case of the MemCPRSA scheme, this choice yields an instantiationwith nearly λ bits of security and where the function H does not necessarily need to be a randomoracle (yet it must be collision resistant).

Because of the constraint µ > λz + λs + 2, we the choice above implies the use of large primes.This would be anyway the case if one instantiates the scheme with a collision-resistant hash functionH (e.g., SHA256 or SHA3), e.g., because set elements are quite arbitrary. If on the other hand, onecould support more specific set elements, one could use instead a deterministic map-to-primes oreven use our scheme MemCPRSAPrm in which set elements themselves are primes. In this case onemay wonder if it is possible to choose values of µ smaller than 2λ; for example µ ≈ 30, 60, 80. Theanswer is positive although the characterization of such µ’s require an involved analysis.

Let us fix ν = 2λ, and say that the statistical security parameters λz, λs are such that λz +λs + 2 = 2λ− 2− c for some constant c (for example c = 4 if λz = λs = λ− 4). We are essentiallylooking for µ such that

µ ≤ 2λ− 2− c and µ+ µ

⌊2λ− 2

µ− c

µ

⌋≤ 2λ− 2

⇐⇒ µ ≤ 2λ− 2− c and

⌊2λ− 2

µ− c

µ

⌋≤ 2λ− 2

µ− 1

34

From the fact x mod y = x− ybxy c, we can reduce the above inequality into

µ ≤ 2λ− 2− c and 2λ− 2− c mod µ ≥ µ− c

that can admit solutions for c ≥ 2.

For instance, if λ = 128 and c = 4, then we get several options for µ, e.g., µ = 32, 42, 63, 84, 126, 127.

Parameters for dµ+ 2 > ν. This case concerns only MemCPRSA and Theorem 4.2 in particular.In this case, if one aims at maximizing security, say to get a scheme with λ-bits of security, thenwould have to set µ ≈ 2λ for collision resistance, and consequently select the prime order groupso that ν ≥ 3λ. This choice however is costly in terms of performance since the efficiency of allprotocols that work in the prime order group degrades. Nevertheless, in our full paper we willanalyze intermediate cases in which we can adjust the parameters in order to get some concretesecurity bounds that are still reasonable.

5 A CP-SNARK for Set Non-Membership with Short Parameters

Here we describe two CP-SNARKs for set non-membership that work in a setting identical to theone of section 4. Namely, the set is committed using an RSA accumulator, and the element (thatone wants to prove not to belong to the set) is committed using a Pedersen commitment scheme.As in the previous section, we propose two protocols for non-membership, called NonMemCPRSA

and NonMemCPRSAPrm, in complete analogy to MemCPRSA and MemCPRSAPrm. In the former, theelements of the set are arbitrary bit-strings of length η, Delm = {0, 1}η, while in the latter theelements are primes of length µ. The schemes are fully described in figures 10 and 11.

An High-Level Overview of the Constructions. The main idea of NonMemCPRSA is similarto the one of the corresponding membership protocol, MemCPRSA. It uses in the same modular waythe modEq and HashEq protocols. The only difference lies in the third protocol: instead of usingRoot it uses a new protocol Coprime. In a similar manner, NonMemCPRSAPrm uses modEq, Rangeand Coprime.

Let us explain the need of the Coprime protocol and what it does. First, recall how a non-membership proof is computed in RSA Accumulators [LLX07]. Let P be a set of primes to beaccumulated and prod the corresponding product. For any prime element e /∈ P it holds thatgcd(e, prod) = 1, while for any member e ∈ P it is gcd(e, prod) = e 6= 1. Thus, proving thatgcd(e, prod) = 1 would exhibit non-membership of e in P . Recall, also, that using the extendedEuclidean algorithm one can efficiently compute coefficients (a, b) such that a · e + b · prod =gcd(e, prod). A non-membership proof for an element e w.r.t. an accumulator Acc = Gprod consistsof a pair (D = Ga, b), where a, b are such that a · e+ b · prod = 1. The verification is DeAccb = G,which ensures that e and prod are coprime, i.e. gcd(e, prod) = 1. Therefore, the goal of the Coprimeprotocol is to prove knowledge of an element e committed in an integer commitment Ce thatsatisfies this relation. A more formal definition of Coprime is given below and an instantiation ofthis protocol is in Section 5.1.

Argument of Knowledge for a coprime element. We make use of a non-interactive argument ofknowledge of a non-membership witness of an element such that the verification equation explainedabove holds. More formally CPCoprime, is a NIZK for the relation: RCoprime : (Z∗N ×QRN )× (Z×Z×QRN × Z) defined as

35

KeyGen(ck, R∈) : parse ck := ((N,G,Hprime), (Gq, g, h)) as the commitment keys of SetComRSA and PedComrespectively. Sample a random generator H.Generate crsHashEq ←$CPHashEq.KeyGen((Gq, g, h), RHashEq), a crs for CPHashEq.Return crs := (N,G,H,Hprime,Gq, g, h, crsHashEq).Given crs, one can define crsCoprime := (N,G,H), crsmodEq := (N,G,H,Gq, g, h).

Prove(crs, (CU , cu), (U, u), (∅, ru)) : e← Hprime(u) = (1|H(u, j)), (ce, rq)← Com1.Commit(ck, tq, e).(Ce, r)← IntCom.Commit((G,H), e); P ← {Hprime(u) : u ∈ U}, compute a, b s.t. a · e+ b ·

∏ei∈P ei = 1 and

set D = Ga.πCoprime ← CPCoprime.Prove(crsCoprime, (Ce, CU , µ), (e, r,D, b))πmodEq ← CPmodEq.Prove(crsmodEq, (Ce, ce), (e, e, r, rq))πHashEq ← CPHashEq.Prove(crsHashEq, (ce, cu), (e, u), (rq, ru), j)Return π := (Ce, ce, πRoot, πmodEq, πHashEq).

VerProof(crs, (CU , cu), π) : Return 1 iff CPRoot.VerProof(crsCoprime, (Ce, CU , µ), πCoprime) = 1 ∧CPmodEq.VerProof(crsmodEq, (Ce, ce), πmodEq) = 1 ∧ CPHashEq.VerProof(crsHashEq, (ce, cu), πHashEq) = 1.

Fig. 10: NonMemCPRSA CP-SNARK for set non-membership

KeyGen(ck, R∈) : parse ck := ((N,G,Hprime), (Gq, g, h)) as the commitment keys of SetComRSA′ and PedComrespectively. Sample a random generator H.Generate crsRange ←$CPRange.KeyGen((Gq, g, h), RRange), a crs for CPRange.Return crs := (N,G,H,Hprime,Gq, g, h, crsRange).Given crs, one can define crsCoprime := (N,G,H), crsmodEq := (N,G,H,Gq, g, h).

Prove(crs, (CP , ce), (P, e), (∅, re)) : (Ce, r)← IntCom.Commit((G,H), e); , compute a, b s.t. a·e+b·∏ei∈P ei = 1

and set D = Ga.πCoprime ← CPCoprime.Prove(crsCoprime, (Ce, CP , µ), (e, r,D, b))πmodEq ← CPmodEq.Prove(crsmodEq, (Ce, ce), (e, e, r, rq))πRange ← CPRange.Prove(crsRange, (2

µ−1, 2µ), ce, e, rq)Return π := (Ce, ce, πCoprime, πmodEq, πRange).

VerProof(crs, (CP , ce), π) : Return 1 iff CPCoprime.VerProof(crsCoprime, (Ce, CP , µ), πCoprime) = 1 ∧CPmodEq.VerProof(crsmodEq, (Ce, ce), πmodEq) = 1 ∧ CPRange.VerProof(crsRange, ce, πRange) = 1.

Fig. 11: NonMemCPRSAPrm CP-SNARK for set non-membership

RCoprime ((Ce,Acc), (e, r,D, b)) = 1 iff

Ce = ±GeHr mod N ∧ DeAccb = G ∧ |e| < 2λz+λs+µ+2

We propose an instantiation of a protocol for the above relation in the Section 5.1.

Our Constructions of NonMemCPRSA and NonMemCPRSAPrm. In Figures 10 and 11 we give afull description of the schemes.

The security of these schemes follow very closely the one of the corresponding membershipschemes given in Section 4. Below we give the Theorems that state their security. The proofs areomitted since they are almost identical to the corresponding proofs for the membership schemes.

Theorem 5.1. Let PedCom, SetComRSA and IntCom be computationally binding commitments,CPCoprime, CPmodEq and CPHashEq be knowledge-sound NIZK arguments, and assume that the Strong

36

RSA assumption hold, and that H is collision resistant. If dµ+2 ≤ ν, λs+1 < µ and λs < log(N)/2then NonMemCPRSA is knowledge-sound with partial opening of the set commitments CU .

Theorem 5.2. Let PedCom, SetComRSA and IntCom be computationally binding commitments,CPCoprime, CPmodEq and CPHashEq be knowledge-sound NIZK arguments, and assume that the StrongRSA assumption hold, and that H is collision resistant. If dµ+2 > ν, λs+1 < µ, λs < log(N)/2, d =O(1) is a small constant, 2µ−ν ∈ negl(λ) and H is modeled as a random oracle, then NonMemCPRSA

is knowledge-sound with partial opening of the set commitments CU .

Theorem 5.3. Let PedCom, SetComRSA′ and IntCom be computationally binding commitments,CPCoprime, CPmodEq and CPRange be knowledge-sound NIZK arguments, and assume that the StrongRSA assumption hold. If dµ + 2 ≤ ν, λs + 1 < µ and λs < log(N)/2 then NonMemCPRSAPrm

is knowledge-sound with partial opening of the set commitments cP . Furthermore, if PedCom,SetComRSA′ and IntCom are statistically hiding commitments, and CPCoprime, CPmodEq and CPRange

be zero-knowledge, then NonMemCPRSAPrm is zero-knowledge.

5.1 Proposed Instantiations of Protocol for RCoprime

Below we propose an interactive ZK protocol for RCoprime. As the relation indicates, we need toprove knowledge of (D, b) such that DeAccb = G, for a committed e. Proving opening of Ce to eis straightforward, so the main challenge is to prove the non-membership equation. For this theprover should send D and Accb to the verifier so that she can check that DeAccb = G herself. Ofcourse, there are two caveats. The first one is that D and Accb cannot be sent in the plain as werequire zero-knowledge; we solve this by sending them in a hiding manner, i.e., Ca = DHra andCB = AccbHρB for random values ra, ρB. Consequently, the verification now should work with thehiding elements. Secondly, the verifier should be ensured that Accb is indeed an exponentiation ofAcc with a known (to the prover) value b, otherwise soundness can be broken. More specifically werequire extraction of b, ρB such that CB = AccbHρB . This is done using the partial opening of Accto the set represented by prod, i.e., the protocol assumes that Acc = Gprod is a common knowledge.

Below we present our protocol in full details.

1. Prover computes Ca = DHra , Cra = GraHr′a , CB = AccbHρB , CρB = GρBHρ′B and sends to theverifier:P → V : Ca, Cra , CB, CρB

2. Prover and Verifier perform a protocol for the relation:R((Acc, Ce, Ca, Cra , CB, CρB ), (e, b, r, ra, r

′a, ρB, ρ

′B, β, δ)) = 1 iff

CB = AccbHρB ∧ Ce = GeHr ∧ Cra = GraHr′a

∧CρB = GρBHρ′B ∧ CeaCB = GHβ ∧ CeraCρB = GβHδ

Let λs be the size of the challenge space, λz be the statistical security parameter and µ the sizeof e.– Prover samples:

rb, re←$


)rρB , rr, rra , rr′a , rρ′B ←$


)rβ, rδ←$


)37

and computes:

α2 = AccrbHrρB , α3 = GreHrr , α4 = GrraHrr′a ,

α5 = Crea Hrβ , α6 = CreraG

rβHrδ , α7 = GrρBHrρ′B

P → V : (α2, α3, α4, α5, α6, α7)



sb = rb − cb, se = re − cesρB = rρB − cρB, sr = rr − cr, sra = rra − cra, sr′a = rr′a − cr

′a, sρ′B = rρ′B − cρ

′B

sβ = rβ + c(era + ρB), sδ = rδ + c(er′a + ρ′B)

P → V : (sb, se, sρB , sr, sra , sr′a , sρ′B , sβ, sδ)


α2?= CcBAccsbHsρB , α3

?= CceG

seHsr , α4?= CcraG

sraHsr′a ,

α5?= Csea H

sβGcC−cB , α6?= CseraH

sδGsβC−cρB , α7?= CcρBG

sρBHsρ′B ,

se?∈[−2λz+λs+µ+1, 2λz+λs+µ+1

]

Coprime protocol


Prove(crs, (Ce,Acc), (e, r, (D, b))) :

1. samples ra, ra′ , ρB , ρB′ ←$ (−bN/4c , bN/4c) and computes Ca = DHra , Cra = GraHr′a , CB =

AccbHρB , CρB = GρBHρ′B .2. Computes the non-interactive version of the above protocol

rb, re ←$(−2λz+λs+µ, 2λz+λs+µ

)rρB , rr, rra , rr′a , rρ′B ←$


)rβ , rδ ←$


)α2 = AccrbHrρB , α3 = GreHrr , α4 = GrraH

rr′a , α5 = Crea Hrβ , α6 = CreraG


c← H(α2, α3, α4, α5, α6, α7, Ce, Acc)sb = rb − cb, se = re − ce, sρB = rρB − cρB , sr = rr − cr, sra = rra − cra, sr′a = rr′a − crra , sρ′B =

rρ′B− cρ′B , sβ = rβ + c(era + ρB), sδ = rδ + c(er′a + ρ′B)

Returns π ← (Ca, Cra , CB , CρB , α2, α3, α4, α5, α6, α7, sb, se, srb , sρB , sr, sra , sr′a , sρ′B , sβ , sδ)

VerProof(crs, (Ce,Acc), π) : returns 1 iff α2 = CcBAccsbHsρB ∧ α3 = CceG

seHsr ∧ α4 = CcraGsraH

sr′a ∧ α5 =

Csea HsβGcC−cB ∧ α6 = CseraH

sδGsβC−cρB ∧ α7 = CcρBGsρBH

sρ′B ∧ ∧se ∈

[−2λ+λs+µ+1, 2λ+λs+µ+1

]

Fig. 12

38

Correctness. Here we show the correctness of the protocol.

α2 = AccrbHrρB = Accsb+cbHsρB+cρB = AccsrbHsρB (AccbHρB )c

= AccsbHsρBCcB

α3 = GreHrr = Gse+ceHsr+cr = GseHsr(GeHr)c

= GseHsrCce

α4 = GrraHrr′a = Gsra+craH

sr′a+cr′a = GsraH

sr′a (GraHr′a)c

= GsraHsr′aCcra

α5 = Crea Hrβ = Cse+cea Hsβ−c(era+ρB) = Csea H

sβ (DeHera)cH−c(era+ρB)

= Csea Hsβ (DeH−ρB )c = Csea H

sβ (GAcc−bH−ρB )c =

= Csea HsβGcC−cB

α6 = CreraGrβHrδ = Cse+cera Gsβ−c(era+ρB)Hsδ−c(er′a+ρ′B)

= CseraGsβHsδ(GraHr′a)ceG−c(era+ρB)H−c(er

′a+ρ

′B) = CseraG

sβHsδG−cρBH−cρ′B

= CseraGsβHsδC−cρB

α7 = GrρBHrρ′B = GsρB+cρBH

sρ′B+cρ′B = GsρBH

sρ′B (GρBHρ′B )c

= GsρBHsρ′BCcρB

Security. Security of our scheme holds with the partial opening of Acc, i.e., when it is ensuredoutside the protocol that Acc is a valid commitment of the set. The proof is similar to the one oftheorem 4.6. The main technical difference is in the extraction of the opening of CB, because Acc isnot a random generator sampled at the setup phase. However, from partial opening we know thatit is Acc = Gprod for a random generator G. This will allow us to state an alternative to lemma 4.2to justify the extraction of the opening of CB.

Theorem 5.4. Let Z∗N be an RSA group where strong-RSA assumption holds, then the above pro-tocol is honest-verifier zero knowledge protocol and, also, if λs + 1 < µ and λs < log(N)/2, isknowledge sound with partial opening of Acc for RCoprime.

Proof Zero-Knowledge can be proven with standard techniques, similar to the ones in the proofof theorem 4.6 and is therefore omitted.

For the knowledge soundness, let an adversary of the knowledge soundness A that is able toconvince the verifier V with a probability at least ε. We will construct an extractor E that extractsthe witness (e, r, r2, r3, β, δ). Using rewinding E gets two accepted transcripts

(Ca, Cra , CB, CρB , α2, α3, α4, α5, α6, α7, c, sb, se, sρB , sr, sra , sr′a , sρ′B , sβ, sδ)

(Ca, Cra , CB, CρB , α2, α3, α4, α5, α6, α7, c′, s′b, s

′e, s′ρB, s′r, s

′ra , s

′r′a, s′ρ′B

, s′β, s′δ)

on two different challenges c and c′. E aborts if it cannot get two such transcripts (abort1).We denote ∆c := c′−c,∆sb := sb−s′b, ∆se := se−s′e, ∆sρB := sρB −s′ρB , ∆sr := sr−s′r, ∆sra :=

sra − s′ra , ∆sr′a := sr′a − s′r′a, ∆sρ′B

:= sρ′B − s′ρ′B, ∆sβ := sβ − s′β, ∆sδ := sδ − s′δ then

C∆cB = Acc∆sbH∆sρB ⇒ CB = ±AccbH ρB (1)

39

C∆ce = G∆seH∆sr ⇒ Ce = ±GeH r (2)

C∆cra = G∆sraH∆sr′a ⇒ Cra = ±GraH r′a (3)

1 = C∆sea H∆sβG−∆cC∆cB (4)

1 = C∆sera H∆sδG∆sβC∆cρB (5)

C∆cρB = G∆sρBH∆sρ′

B ⇒ CρB = ±GρBH ρ′B (6)

define the (possibly rational) numbers b := ∆sb∆c , e := ∆se

∆c , r := ∆sr∆c , ra := ∆sra

∆c , r′a :=∆sr′a∆c ,

ρB :=∆sρB∆c , ρ′B :=

∆sρ′B

∆c .E aborts in case ∆c doesn’t divide: ∆se and ∆sr(abort 2a), ∆sra and ∆sr′a(abort 2b), ∆sρB and

∆sρ′B (abort 2c). And finally, E aborts if ∆c doesn’t divide ∆sb and ∆sρB (abort 2d). Therefore, afterthese aborts didn’t happen we can infer the equivalent equalities on the right of equations 2,3,6and 1.

If we replace equations 3 and 6 in equation 5 we get 1 =(±GraH r′a

)∆seH∆sβG∆sβ

(±GρBH ρ′B

)∆cor 1 = (±1)∆se(±1)∆cGra∆se+ρB∆c+∆sβH r′a∆se+ρ

′B∆c+∆sβ . Since G,H, 1 are quadratic residues then

(±1)∆se(±1)∆c = 1, hence 1 = Gra∆se+ρB∆c+∆sβH r′a∆se+ρ′B∆c+∆sβ . Then under the DLOG assump-

tion ra∆se + ρB∆c+∆sβ = 0 = r′a∆se + ρ′B∆c+∆sβ, which gives us that

∆sβ = −ra∆se − ρB∆c (7)

Finally, we replace equations 1 and 7 in equation 4 we get 1 = C∆sea H−ra∆se−ρB∆cG−∆c(±AccbH ρB

)∆cor 1 = (±1)∆cC∆sea Accb∆cG−∆cH−ra∆se or

(±AccbG−1

)∆c=(C−1a Hra

)∆se . But as noted above

∆c divides ∆se so ±AccbG−1 = ±(C−1a Hra

)e ⇒ AccbG−1 = ±(C−1a H ra

)e ⇒ (CaH ra

)eAccb = ±G.

We discern two cases:

–(CaH ra

)eAccb = +G: Then E sets D ← Ca

H ra, e← e := ∆se

∆c , r ← r := ∆sr∆c and b← b := ∆sb

∆c

–(CaH ra

)eAccb = −G: Then e should be odd otherwise if e = 2ρ then G = −

(CaH ra

)2ρAccb would be

a non-quadratic residue. So E sets D ← − CaH ra

, e ← e := ∆se∆c , r ← r := ∆sr

∆c and b ← b := ∆sb∆c .

It is clear that DeAccb = G.

Finally the E outputs (e, r, D, b).Now we show that the probability the extractor terminates with outputting a valid witness is

O(ε). If the extractor does not abort then it clearly outputs a valid witness (under the factoringassumption). For the first abort, with a standard argument it can be shown that the extractor is ableto extract two accepting transcripts with probability O(ε) (for the probabilistic analysis we referto [DF02]). Thus Pr[abort1] = 1−O(ε). For the aborts abort 2a, abort 2b and abort 2c they happenwith negligible probability (≤ 2

1−2−λs+1Pr[B solves sRSA] each, for any PPT adversary B) underthe strong RSA assumption according to lemma 4.2. For abort 2d we cannot directly use the samelemma as Acc is not a random generator that is part of the crs. However, with a similar argument andusing partial extractability we show below that the probability for this abort is the same. Puttingthem together the probability of success of E is at least O(ε) − 8

1−2−λs+1Pr[B solves sRSA] =O(ε)− negl(λs).

40

For equation 1, we get from partial opening that Acc = GprodP , where P := {Hprime(u) | u ∈ U},so

C∆cB = G∏u∈U Hprime(u)·∆sbH∆sρB

We use a similar to [DF02] argument to prove that ∆c divides ∆sb and ∆sρB under the strongRSA assumption, given that λs + 1 < µ. Then

CB = ±AccbH ρB (8)

Lemma 5.1. Let λs + 1 < µ and λs < log(N)/2 then ∆c divides ∆sb and ∆sρB under the strongRSA assumption.

Proof An adversary against the strong RSA assumption receives H ∈ QRN and does the follow-ing: sets G = Hτ for τ ←$ [0, 2λsN2] and sends (G,H) to the adversary A which outputs a proofπCoprime. Then we rewind to get another successful proof π′Coprime and we use the extractor as above

to get C∆cB = G∏u∈U Hprime(u)·∆sbH∆sρB or

C∆cB = Hτ∏u∈U Hprime(u)·∆sb+∆sρB

We can exclude the case that ∆c divides∏u∈U Hprime(u), since ∆c is smaller than the domain of

the hash function Hprime, i.e. ∆c < Hprime(u) for each u ∈ U , which comes from λs + 1 < µ. Assumethat ∆c - ∆sb ∨∆c - ∆sρB . we discern two cases:

– ∆c doesn’t divide τ∏u∈U Hprime(u)·∆sb+∆sρB : then gcd(∆c, τ

∏u∈U Hprime(u)·∆sb+∆sρB ) = g

and there are χ, ψ such that χ ·∆c+ ψ ·(τ∏u∈U Hprime(u) ·∆sb +∆sρB

)= g. Thus

Hg = Hχ·∆c+ψ·(τ∏u∈U Hprime(u)·∆sb+∆sρB ) = Hχ∆c · Cψ∆cB =

(Hχ · CψB

)∆cSince g divides ∆c we get H = ±

(Hχ · CψB

)∆cg

. However H is a quadratic residue (thus CB

is so), meaning that H =(Hχ · CψB

)∆cg

, thus (Hχ · CψB,∆cg ) is a solution to the strong RSA

problem.

– ∆c divides τ∏u∈U Hprime(u) ·∆sb +∆sρB : let q` be the maximal q-power that divides ∆c (i.e.

q` is a factor of ∆) and doesn’t divide at least one of ∆sb and ∆sρB , where q is prime. Such a q`

should exist otherwise ∆c would divide both ∆sb and ∆sρB , which we assumed it doesn’t. Noticethat if q` divided ∆sb then it would also divide ∆sρB , as q` divides τ

∏u∈U Hprime(u)·∆sb+∆sρB

(from assumption), so q` - ∆sb.

q` |

(τ∏u∈U

Hprime(u) ·∆sb +∆sρB

)⇒ τ

∏u∈U

Hprime(u) ·∆sb +∆sρB = 0 (mod q`)

We can write τ := τ1 + τ2 ord(H). Notice that τ2 is information theoretically hidden to theadversary and thus is uniformly random in [0, 2λsN2/ord(H)] ⊃ [0, 2λsN ] in its view.

⇒ τ1∏u∈U

Hprime(u) ·∆sb + τ2ord(H)∏u∈U

Hprime(u) ·∆sb +∆sρB = 0 (mod q`)

41

⇒ τ2 ·∆sb =

(−τ1

∏u∈U

Hprime(u) ·∆sb −∆sρB

)·

(∏u∈U

Hprime(u)

)−1· (ord(H))−1 (mod q`)

To see that∏u∈U Hprime(u) has an inverse modulo q` note that since ∆c < Hprime(u) implies

q` < Hprime(u), so gcd(∏u∈U Hprime(u), q`) = 1. For the inverse of ord(H) note that H ∈ QRN

so ord(H) ∈ {q1, q2, q1q2}, where N = (2q1 + 1)(2q2 + 1) is the RSA modulus. Then fromλs < log(N)/2 we get ∆c < q1, q2 and thus gcd(ord(H), q`) = 1.

As noted above, τ2 is uniformly random in a superset of [0, 2λsN ]. But q` < ∆c < N , so2λsN is at least 2λs larger than q`. Thus τ2 is statistically close to uniform in {0, 1, . . . , q` − 1}(with 2−λs error), Prτ2 [τ2 = C (mod q`)] ≈ 1

q`. Furthermore, for any ∆sb, Prτ2 [τ2 · ∆sb = C

(mod q`)] ≈ 1q`·gcd(q`, ∆sb) ≤ 1

q`·q`−1 (since q` doesn’t divide ∆sb). This is because for variable

τ2, the equation τ2∆sb = C (mod q`) has gcd(q`, ∆sb) solutions.

In conclusion, the probability that the above equation holds is at most 1q + 2−λs ≤ 1

2 + 2−λs .

To summarize we showed that the probability to fall in the second case is at most 12 +2−λs . So with

probability to fall in the first case, and thus solve the strong RSA problem, is at least 12 − 2−λs . ut

By a simple argument identical to the one of section 4.4, we can also conclude about the range of

the extracted e: se?∈[−2λz+λs+µ+1, 2λz+λs+µ+1

]implies −2λz+λs+µ+2 ≤ e ≤ 2λz+λs+µ+2. ut

6 A CP-SNARK for Set Membership in Bilinear Groups

In this section we propose another CP-SNARK, called MemCPVC, for the set membership relationthat works in bilinear groups. Unlike the schemes of Section 4, the CP-SNARK given in thissection does not have short parameters; specifically it has a CRS linear in the size of the sets tobe committed. On the other hand, it enjoys other features that are not satisfied by our previousschemes (nor by other schemes in the literature): first, it works solely in Bilinear Groups withouthaving to deal with RSA groups; second, it allows to commit the set in an hiding manner and, forthe sake of soundness, does not need to be opened by the adversary. This is possible thanks to thefact that the set is committed in a way that (under a knowledge assumption) guarantees that theprover knows the set.

More in detail, MemCPVC is a CP-SNARK for set membership where set elements are elementsfrom the large field F = Zq where q is the order of bilinear groups. So Delm = F. In terms of set itsupports all the subsets of 2Delm of cardinality bounded by n, Dset = {U ∈ 2Delm : #U ≤ n}, whichwe denote by Sn, # symbol denotes the cardinality of a set. So U has elements in F and is a subsetof Sn.

6.1 Preliminaries and Building Blocks

Bilinear Groups. A bilinear group generator BG(1λ) outputs (q,G1,G2,GT , e), where G1, G2,GT are additive groups of prime order q, and e : G1 × G2 → GT is an efficiently computable,non-degenerate, bilinear map. For ease of exposition we present our results with Type-1 groupswhere we assume that G1 = G2. Our results are under the (` + 1)d-Strong Diffie Hellman and

42

the (d, `)-Extended Power Knowledge of Exponent assumptions, for which we refer the reader to[ZGK+17].

A Polynomial-Pedersen Type-Based Commitment Scheme. First we present PolyCom, atype-based commitment scheme which was introduced in [CFQ19] extracted from the verifiablepolynomial delegation scheme of [ZGK+17]. The scheme has two types: one for `-variate polynomialsf : F` → F over F of variable degree at most d, and one which is a standard Pedersen commitmentfor field elements. Let W`,d be the set of all multisets of {1, . . . , `} where the cardinality of eachelement is at most d. The scheme is described in figure 13.

Setup(1λ, `, d) : samples a bilinear group of order q, bp := (q, g,G1,GT , e) ← BilGen(1λ), samples

α, β, s1, . . . , s` ← F. Computes prk ←{g∏i∈W si : W ∈ W`,d

}and prkα ←

{gα·

∏i∈W si : W ∈ W`,d

}. Fi-

nally samples an s`+1 ←$F and computes h← gs`+1 and hα.Return ck← (bp, prk, prkα, gα, gβ , h, hα, hβ)

Commit(ck, tF[s], f) : parses ck := (bp, prk, prkα, gα, gβ , h, hα, hβ) and uses prk :={g∏i∈W si : W ∈ W`,d

}and

prkα :={gα·

∏i∈W si : W ∈ W`,d

}to compute gf(s) and gα·f(s) respectively. Then samples a random rf ←$F

and computes cf,1 ← gf(s)hrf and cf,2 ← gα·f(s)(hα)rf

Return (c, o)← ((cf,1, cf,2), rf )Commit(ck, tq, y) : parses ck := (bp, prk, prkα, gα, gβ , h, hα, hβ) and samples r←$F. Computes cy,1 ← gyhr and

cy,2 ← (gβ)y(hβ)r and return (c, o) := ((cy,1, cy,2), r).

VerCommit(ck, tF[s], c, f, o) : parses ck := (bp, prk, prkα, gα, gβ , h, hα, hβ) and uses prk :={g∏i∈W si : W ∈ W`,d

}to compute gf(s). Parses c := (cf,1, cf,2). Output 1 iff cf,1 = gf(s)ho ∧ e(cf,1, gα) = e(cf,2, g).

VerCommit(ck, tq, c, y, o) : parses ck := (bp, prk, prkα, gα, gβ , h, hα, hβ). Parses c := (cy,1, cy,2) Output 1 iff cy,1 =gyhr ∧ e(cy,1, gβ) = e(cy,2, g).

Fig. 13: PolyCom Commitment Scheme

Theorem 6.1. Under the (`+1)d-Strong Diffie Hellman and the (d, `)-Extended Power Knowledgeof Exponent assumptions PolyCom is an extractable trapdoor commitment scheme.

For the proof we refer to [CFQ19, ZGK+17].

Input-Hiding CP-SNARK for Polynomial Evaluation The main building block of our mainprotocol is a CP-SNARK CPPolyEval for the type-based commitment PolyCom. Loosely speaking theidea is to commit to the input t and the output y of a polynomial (with a Pedersen commitment),further commit to the polynomial f itself (with a polynomial commitment) and then prove that theopening of the committed polynomial evaluated on the opening of the committed input gives thecommitted output. The relation of the protocol is RPolyEval((tk)k∈[`], f, y)) = 1 iff f(t1, . . . , t`) = y:

R = (ck, RPolyEval) where R is over

(x,w) = ((x, c), (u, o, ω)) =(

(∅, (cy, (ctk)k∈[`], cf )) , ((y, (tk)k∈[`], f), (ry, (rtk)k∈[`], rf ),∅))

We will present a CP-SNARK for this relation, CPPolyEval, in section 6.3. CPPolyEval is based ona similar protocol for polynomial evaluation given in [CFQ19] which was in turn based on the

43

verifiable polynomial delegation scheme of zk-vSQL [ZGK+17]. In those protocols, however, theinput t is public whereas in ours we can keep it private and committed.

Range Proof CP-NIZK. We make use of CPRange, a CP-NIZK for the following relation onPedCom commitments c and two given integers A < B:

RRange ((ce, A,B), (e, rq)) = 1 iff c = gehrq ∧ A < eq < B

CPRange can have various instantiations such as Bulletproofs [BBB+18].

Multilinear Extensions of vectors. Let F be a field and n = 2`. The multilinear extension of avector a = (a0, . . . , an−1) in F is a polynomial fa : F` → F with variables x1, . . . , x` defined as

fa(x1, . . . , x`) =n−1∑i=0

ai ·∏k=1

selectik(xk)

where iì`−1 . . . i2i1 is the bit representation of i and selectik(xk) =

{xk, if ik = 1

1− xk, if ik = 0

A property of Multilinear extension of a is that fa(i1, . . . , i`) = ai for each i ∈ [n].

The type-based commitment scheme of MemCPVC. We define the type-based commitmentCEdraxPed for our CP-SNARK MemCPVC. We recall we need a commitment that allows one tocommit to both elements and sets. We build this based on an hiding variant of EDRAX VectorCommitment [CPZ18], which in turn relies on a polynomial commitment. Therefore, we use aspecial case of PolyCom for polynomials of maximum variable degree d = 1. Let ` := dlog(n)e and2[`] be the powerset of [`] = {1, ..., `} thenW`,1 = 2[`]. Furthermore, for any n′ ≤ n let L : Sn′ → Fn′

be a function that maps a set of cardinality n′ to its corresponding vector according to an ordering.The description of the scheme can be found in figure 14. Essentially the idea is to take the set, fixsome ordering so that we can encode it with a vector, and then commit to such vector using thevector commitment of [CPZ18], which in turn commits to a vector by committing to its multilinearextension polynomial.

Setup(1λ, `) : executes ck← PolyCom.Setup(1λ, `, 1)Commit(ck, tU , U) : computes

#»U ← L(U) and then the corresponding multilinear extension of

#»U , f #»

U . Returns(c, o)← PolyCom.Commit(ck, tF[s], f #»

S ).Commit(ck, tq, y) : returns (c, o)← PolyCom.Commit(ck, tq, y)VerCommit(ck, tU , c, U, o) : computes

#»U ← L(U) and then the corresponding multilinear extension of

#»U , f #»

U .Outputs PolyCom.VerCommit(ck, tF[s], c, f #»

S , o).VerCommit(ck, tq, c, y, o) : outputs PolyCom.VerCommit(ck, tq, c, y, o).

Fig. 14: CEdraxPed

6.2 CP-SNARK for Set membership using EDRAX Vector Commitment

Here we present a CP-SNARK for set membership that uses a Vector Commitment - an EDRAX[CPZ18] variant - to commit to a set. The idea is to transform a set to a vector (using for example

44

lexicographical order) and then commit to the vector with a vector commitment. Then the setmembership is proven with a zero knowledge proof of opening of the corresponding position ofthe vector. However to preserve zero knowledge we additionally need to hide the position of theelement. For this we construct a zero knowledge proof of knowledge of an opening of a positionthat does not give out the position. Finally, since the position is hidden we additionally need toensure that the prover is not cheating by providing a proof for a position that exceeds the lengthof the vector. For this we, also, need a proof of range for the position, i.e. that i < n.

In this section the domain of the elements is a field, Delm := F, and the domain of the set is allthe subsets of 2Delm of cardinality bounded by n, Dset = {U ∈ 2Delm : #U ≤ n}, which we denote bySn (the # symbol denotes the cardinality of a set). So U has elements in F and is a subset of Sn.

The type-based commitment of our scheme is CEdraxPed (fig. 14) that is presented in the previoussection, and the relation is

R = (ck, RVCmem) where R is over

(x,w) = ((x, c), (u, o, ω)) =((

#U, (cy, (cik)k∈[`], cU )),((y, (ik)k∈[`], U), (ry, (rik)k∈[`], rU ),∅

))RVCmem(#U,

(y, (ik)k∈[`], U

)) = 1 iff y = L(U)[i] ∧ i < #U ∧ i =

∑`k=1 ik2

k−1

Note that in the above the prover should normally give exactly ` = dlog(#U)e commitments.In case ` < dlog(#U)e the position is not fully hiding since it is implicit that i < 2`−1 so the verifiergets a partial information about the position.

For this we will compose a CP-SNARK CPPolyEval and a CP-NIZK CPRange for the relationsRPolyEval((ik)k∈[`], f, y)) = 1 iff f(i1, . . . , i`) = y and RRange(T, (ik)k∈[`]) = 1 iff i < T respectivelyand the commitment scheme CEdraxPed. So CPVCmem is a conjuction of the former, where thecommon commitments are (cik)k∈[`].

CP-SNARK for RVCmem

KeyGen(ck, RVCmem) : computes (ek1, vk1) ← CPPolyEval.KeyGen(ck, RPolyEval) and (ek2, vk2) ←CPRange.KeyGen(ck, RRange)Return (ek, vk)← ((ek1, ek2) , (vk1, vk2))

Prove(ek,#U, (cy, (cik )k∈[`], cU ), (y, (ik)k∈[`], U), (ry, (rik )k∈[`], rU ),∅) : parses ek := (ek1, ek2) and com-putes π1 ← CPPolyEval.Prove

(ek1,∅, (cy, (cik )k∈[`]), cU ), (y, (ik)k∈[`], U), (ry, (rik )k∈[`], rU ),∅

). Parses ck :=

(bp, prk, prkα, gα, gβ , h, hα, hβ) and further bp := (q, g,G1,GT , e) to get (g, h), then computes i ←∑`k=1 ik2k−1 and ri ←

∑`k=1 rik2k−1 and the corresponding commitment ci ← gihri . Notice that ci is

a commitment to i with o = ri. Computes π2 ← CPRange.Prove (ek1, (1,#U), ci, i, ri,∅)Return π = (π1, π2)

VerProof(vk,#U, (cy, (cik )k∈[`], cU ), π) : parses vk := (vk1, vk2) and π := (π1, π2). Then computes homomorhi-

cally ci,1 ←∏`k=1(cik,1)2

k−1

and ci,2 ←∏`k=1(cik,2)2

k−1

.Return b← CPPolyEval.VerProof(vk1,∅, (cy, (cik )k∈[`]), cU ), π1) ∧ CPRange.VerProof(vk2, (1,#U), ci,∅)

Fig. 15: MemCPVC

Theorem 6.2. Let CPPolyEval and CPRange be zero knowledge CP-SNARKs for the relations RPolyEval

and RRange respectively under the commitment scheme PolyCom then the above scheme is a zero

45

knowledge CP-SNARK for the relation RVCmem and the commitment scheme CEdraxPed. Further itis a CP-SNARK for Rmem under the same commitment scheme.

Proof Zero Knowledge comes directly from the zero knowledge of CPPolyEval and CPPolyEval.

For Knowledge Soundness, let an adversary A(R, crs, auxR, auxZ) outputting (x, c) :=(#U,

(cy, (cik)k∈[`], cU ))

and π such that VerProof(vk,#U, (cy, (cik)k∈[`], cU ), π) = 1. We will construct anextractor E that on input (R, crs, auxR, auxZ) outputs a valid witness w :=

((y, (ik)k∈[`], U), (ry, (rik)k∈[`],

rU ),∅).

E uses the extractors of EPolyEval, ERange of CPPolyEval and CPRange. EPolyEval outputs (y, (ik)k∈[`], f),(ry, (rik)k∈[`], rf ) such that f(i1, . . . , i`) = y ∧ PolyCom.VerCommit(ck, tF[s], cU , f, rf ) = 1∧PolyCom.VerCommit(ck, tq, cy, y, ry) = 1

∧`k=1 PolyCom.VerCommit(ck, tq, cik , ik, rik) = 1. Further,

from the Extended Power Knowledge of Exponent assumption we know that f is an `-variatepolynomial of maximum variable degree 1. Therefore it corresponds to a multilinear extensionof a unique vector

#»

U , which is efficiently computable. The extractor computes the vector#»

Ufrom f and the corresponding set U . It is clear that, since f is the multilinear extension ofthe U and PolyCom.VerCommit(ck, tF[s], cU , f, rf ) = 1, CEdraxPed.VerCommit(ck, tU , cU , U, rf ) = 1.

CEdraxPed.VerCommit(ck, tq, cy, y, ry) = 1∧`k=1 CEdraxPed.VerCommit(ck, tq, cik , ik, rik) = 1 is straight-

forward from the definition of the CEdraxPed commitment scheme for field elements type.

E uses the extractor of the commitment scheme PolyCom, EPolyCom, that outputs for each k =1, . . . , ` ik, rik such that cik,1 = gikhrik∧e(cik,1, gβ) = e(cik,2, g) or CEdraxPed.VerCommit(ck, tq, cik , rik) =1. ERange outputs (i, ri) such that i < #U∧PolyCom.VerCommit(ck, tq, ci, i, ri) = 1 which means that

ci,1 = gihri . Since the proof π is verified then ci,1 =∏`k=1(cik,1)

2k−1or gihri = g

∑`k=1 ik2

k−1h∑`k=1 rik2

k−1.

From the binding property of the Pedersen commitment we get that i =∑`

k=1 ik2k−1 and ri =∑`

k=1 rik2k−1.

Putting them together the extractor outputs((y, (ik)k∈[`], U), (ry, (rik)k∈[`], rf ),∅

)such that

CEdraxPed.VerCommit(ck, tq, cy, ry) = 1∧ì=1 CEdraxPed.VerCommit(ck, tq, cik , rik) = 1∧

CEdraxPed.VerCommit(ck, tU , cf , U, rf ) = 1 and further y = L(U)[i] ∧ i < #U ∧ i =∑`

k=1 ik2k−1. It

is straightforward that y = L(U)[i]∧ i < #U means that y ∈ U which leads to Rmem(y, U) = 1. ut

6.3 Input-hiding CP-SNARKs for Polynomial Evaluation

Here, we present an instantiation of a a zero knowledge CP-SNARK for the relation RPolyEval

presented in section 6.1.

To give an intuition of the protocol we recall that zk-vSQL uses lemma 6.1 to prove the correctevaluation of the polynomial, that we recall below.

Lemma 6.1 ([PST13]). Let f : F` → F be a polynomial of variable degree d. For all t :=(t1, . . . , t`) ∈ F` there exist efficiently computable polynomials q1, . . . , q` such that: f(z) − f(t) =∑`

i=1(zi − ti)qi(z).

With this one can verify in time linear in the number of variables that f(t) = y by checkingiff gf(t)g−y =

∏ì=1 e(g

si , wi), given the values gf(s), {gsi}ì=1, {wi = gqi(s)}ì=1 We are interested inthe committed values of f, y = f(t) and t, cf , cy, ct respectively, that hide them. For this we willuse instead the below equation for verification:

46

(f(z) + rfz`+1)− (f(t) + ryz`+1) =∑k=1

(zk − tk)qk(z) + z`+1(rf − ry) =

∑k=1

(zk − tk)(qk(z) + rkz`+1) + z`+1

(rf − ry −

∑k=1

rk(zk − tk)

)=

∑k=1

[zk − (tk + rtkz`+1)] · [qk(z) + rkz`+1]+

z`+1

(rf − ry −

∑k=1

rk(zk − tk) +∑k=1

rtk [qk(z) + rkz`+1]

)

The equation indicates us how to construct the protocol which we present in figure 16.

Theorem 6.3. Under the (`+ 1)d-Strong Diffie Hellmann and the (d, `)-Extended Power Knowl-edge of Exponent assumptions, CPPolyEval is a Knowledge Extractable CP-SNARK for the relationRPolyEval and the commitment scheme PolyCom.

Proof Below is a proof sketch, which however is quite similar to the one of CPpoly in [CFQ19].

Knowledge Soundness. The proof comes directly from Evaluation Extractability of vSQL (see[ZGK+17]) with the difference that here tk for each k ∈ [`] should also be extracted. However, itsextraction is straightforward from the extractability of the commitment scheme.

Zero-Knowledge. Consider the following proof simulator algorithmSprv(td, cf , (ctk)k∈[`], cy):

– Use td to get α.– for k = 1 to `, sample wk←$G1.

– compute w`+1 such that e(cf,1 · c−1y,1, g

)=∏`k=1 e

(gskc−1tk,1, wk

)· e (gs`+1 , w`+1) holds

– Use α to compute w′k = wak for all k ∈ [`+ 1]– Return {w1, ..., w`, w`+1, w

′1, . . . , w

′`, w′`+1}

It is straightforward to check that proofs created by Sprv are identically distributed to the onesreturned by CPPolyEval.Prove. (wk)k∈[`]’s are uniformely distributed in both cases. For w`+1 there isa function W such that w`+1 = W (cf,1, cy,1, vk, (ctk,1)k∈[`], (wk)k∈[`]) in both cases. Since the inputsare either identical or identically distributed, the outputs w`+1 are also identically distributed inthe case of of Sprv and CPPolyEval.Prove. ut

7 Experimental Evaluation

We implemented all our RSA-based CP-SNARKs for set-membership and non-membership as aRust library cpsnarks-set[cps]. Our library is implemented in a modular fashion such that anyelliptic curve from libzexe [SCI] and Ristretto from curve25519-dalek [LdV] can be used. In

47

CP-SNARK for RPolyEval

KeyGen(ck, RPolyEval) : parses ck := (bp, prk, prkα, gα, gβ , h, hα, hβ) and computes vrk← {gs1 , . . . , gs`}Return (ek, vk)←

( (bp, prk, prkα, gα, gβ , h, hα, hβ

),(bp, vrk, gα, gβ , h

) )Prove(ek,∅, (cy, (ctk )k∈[`], cf ), (y, (tk)k∈[`], f), (ry, (rtk )k∈[`], rf ),∅) : let ck := (bp, prk, prkα, gα, gβ , h, hα, hβ) :=(

(q, g,G1,GT , e),{g∏i∈W si : W ∈ W`,d

},{gα·

∏i∈W si : W ∈ W`,d

}, gα, gβ , gs`+1 , gαs`+1 , gβs`+1

)and

1. Sample r1, ..., r` ← F and compute q1, . . . , q` such that

(f(z) + rfz`+1)− (f(t) + ryz`+1) =∑k=1

[zk − (tk + rtkz`+1)] · [qk(z) + rkz`+1] + z`+1

(rf − ry −

∑k=1

rk(zk − tk) +∑k=1

rtk [qk(z) + rkz`+1]

)

By using prk :={g∏i∈W si : W ∈ W`,d

}and h compute wk = gqk(s)+rks`+1 for each k = 1, . . . , ` and

w`+1 = grf−ry−∑`k=1 rk(sk−tk)+

∑`k=1 rtk [qk(s)+rks`+1]

2. By using prkα :={gα·

∏i∈W si : W ∈ W`,d

}and hα compute w′k = gα·(qk(s)+rks`+1) for each k = 1, . . . , `

and w′`+1 = gα·(rf−ry−∑`k=1 rk(sk−tk)+

∑`k=1 rtk [qk(s)+rks`+1])

Return π = {w1, ..., w`, w`+1, w′1, ..., w

′`, w′`+1}

VerProof(vk,∅, (cy, (ctk )k∈[`], cf ), π) : parse π := {w1, ..., w`, w`+1, w′1, ..., w

′`, w′`+1}, vk :=

(bp, vrk, gα, gβ , h

)and cy := (cy,1, cy,2), ctk := (ctk,1, ctk,2) for each k = 1, . . . , `] and cf := (cf,1, cf,2)Return 1 iff

1. e(cy,1, gβ) = e(cy,2, g)

2. e(cf,1, gα) = e(cf,2, g)

3. e(ctk,1, gβ) = e(ctk,2, g) for all k = 1, ..., `

4. e(wk, gα) = e(w′k, g) for all k = 1, ..., `, `+ 1

5. e(cf · c−1

y , g)

=∏`k=1 e

(gskc−1

tk, wk

)· e (gs`+1 , w`+1)

Fig. 16

48

particular, this means that our CP-SNARKs can be easily (and efficiently) used in combinationwith other CP-SNARKs implemented over these elliptic curves, such as Bulletproofs [BBB+18] andLegoGroth1619 [CFQ19].

In this section, we provide details on the implementation, we present experimental results tovalidate the concrete efficiency of our solutions and we compare with existing approaches.

7.1 Implementation of cpsnarks-set

Our cpsnarks-set library includes implementations of the schemes MemCPRSA, MemCPRSAPrm,NonMemCPRSA, and NonMemCPRSAPrm. In all the schemes, the RSA accumulator implementation isa modification of accumulator [Cam19], and the internal protocols are implemented as interactiveand are made non-interactive with the use of Merlin [Hen19]. For MemCPRSA and NonMemCPRSA

– where we recall set elements can be binary strings and the protocol encodes them into primes – weused our implementation of LegoGroth16 [leg] on top of libzexe to provide efficient instantiationsof CPHashEq. For MemCPRSAPrm and NonMemCPRSAPrm – where set elements are already primes andone needs to verify a claim about ranges – we implemented two instantiations of CPRange: one basedon LegoGroth16 and one based on Bulletproofs.

Each of the protocols Root,Coprime,modEq,HashEq and the different instantiations of Rangeare implemented individually and are further composed into the higher level membership andnon-membership protocols. The higher level protocols are modular: they can use any hash-to-prime proof—or range proof in the prime elements case—as long as it implements the appropriateinterface.

We benchmark the implementation on a desktop machine having a 3.8 Ghz 6-Core Intel Corei7 processor and 32GB RAM. The benchmarks code is available on [cps] and [lib].

7.2 CP-SNARKs for Set Membership

For the problem of set membership, we tested the following instantiations of our solutions usingthe RSA-2048 [rsa] modulus: 1. MemCPRSA with LegoGroth16 for CPHashEq and a Blake2s-basedhash-to-prime mapping to 252-bit primes (MemCPLG

RSA);2. MemCPRSAPrm with LegoGroth16 on the BLS12-381 curve for CPRange (MemCPLG

RSAPrm), and:(a) 252-bit primes, (b) 63-bit primes; 3. MemCPRSAPrm with Bulletproofs on the Ristretto curve forCPRange (MemCPBP

RSAPrm), and: (a) 250-bit primes; (b) 62-bit primes. The results of our experimentsare summarized in Figure 17.

Fig. 17: Set Membership benchmarks – Our RSA schemes (|x|: size of set elements)

Solution |x| Ptime Vtime |crs| |Π| Pmemory

MemCPLGRSA 252 309.10 31.44 6852 4.4 45

MemCPLGRSAPrm 252 48.14 29.10 86 4.4 5

MemCPLGRSAPrm 63 43.91 27.492 86 4.4 5

MemCPBPRSAPrm 250 62.69 25.46 8 5.0 5

MemCPBPRSAPrm 62 38.04 21.97 2 5.0 5

bits ms ms KB KB MB

19 We implemented this scheme in Rust on top of libzexe as part of this work [leg].

49

Fig. 18: Set membership benchmarks – Merkle trees through [Gro16] zkSNARK

Depth Hash Ptime Vtime |crs| |Π| Pmemory

8 Pedersen 216 2.8 2512 0.192 2216 Pedersen 356 2.8 5023 0.192 3532 Pedersen 607 2.8 10047 0.192 4964 Pedersen 1135 2.8 20094 0.192 79

8 SHA256 1333 2.8 41276 0.192 9316 SHA256 2563 2.8 82430 0.192 19632 SHA256 5066 2.8 164737 0.192 42364 SHA256 10005 2.8 329352 0.192 913

ms ms KB KB MB

Comparison with Merkle-tree approach. We compare our solutions against one based onproving a valid opening of a Merkle Tree in a SNARK. Specifically, we ran experiments for Merkletrees with maximum capacities of {28, 216, 232, 264} elements, using the Groth16 SNARK [Gro16]over the BLS12-381 curve, with the following hash functions: 1. Pedersen Hash over the Jubjubcurve, a curve defined over the scalar field of the BLS12-381 G1 group. 20 2. SHA256. The Merkle treebenchmark code is based on the production Zcash code from [Zca]. The results of the experimentsare in Fig. 18. We recall that proofs in this solution are of 192 bytes.

As one can see from the results, our solutions are highly attractive in terms of proving timeand CRS size. For instance, compared to an optimized solution based on a Pedersen-Hash-basedMerkle tree containing up to 232 elements, our MemCPRSA scheme for arbitrary elements enjoys asub-second proof generation on a commodity laptop, it is more than twice faster and requires ashorter CRS. A price to pay in our solution is a larger proof size (4.4 kilobytes vs. 192 bytes) andhigher verification time (31ms vs. 2.8ms). Nevertheless, these values stay within practical reach.When comparing to less optimized solutions based on Merkle trees (e.g., using SHA256, somethingcommon in lack of specialized elliptic curves), we achieve up to 32× faster proving time and a 48×shorter CRS.

In addition to the aforementioned gains in prover efficiency, our solutions can benefit fromthe use of RSA accumulators to succinctly represent sets in comparison to using Merkle trees. Inparticular, the algebraic properties of RSA accumulators yield simple and efficient methods to add(resp. delete) elements to (resp. from) the set.

For instance, we can insert an element in an RSA accumulator in O(1) time and space, and withthe same complexity we can update each existing membership and non-membership witness. Thismeans that, once having an updated witness, our zero-knowledge proofs can also be recomputedin O(1) time and space. With respect to deleting elements, this can also be done in constant timeand space by a party who holds a valid membership witness.

Insertion and deletion in ordinary Merkle Trees may require O(n) time by rebuilding the treefrom scratch from the whole set (thus also requiring O(n) storage). A more efficient method forinsertion requires clients to store a “frontier” of size Θ(log(n)) of internal hashes which lowersthe time complexity to O(log(n)). One can also lower deletion times to O(log(n)) by using othertechniques, e.g., [Ray19], but at the expense of keeping O(n) storage. Updating a Sparse MerkleTrees requires O(n) time and space during updates. Inserting and deleting elements in IntervalMerkle trees requires keeping the elements contiguous and sorted. This brings the time/storage

20 This is the Bowe-Hopwood variant of a Pedersen hash, as described in [HBHW16].

50

Fig. 19: Set non-membership benchmarks – Our RSA schemes (|x|: size of set elements)

Solution |x| Ptime Vtime |crs| |Π| Pmemory

NMemLGRSA 252 324.90 40.37 6852 6.1 45

NMemLGRSAPrm 252 63.39 38.12 86 6.1 5

NMemBPRSAPrm 250 79.46 34.58 8 6.6 5

bits ms ms KB KB MB

complexity to O(n) for insertion and deletion, since we may need to rebuild substantial portions ofthe tree from scratch.

7.3 CP-SNARKs for Set Non-Membership

For set non-membership, we tested the following instantiations of our solutions using the RSA-2048 [rsa] modulus: 1. NonMemCPRSA with LegoGroth16 for CPHashEq and a Blake2s-based hash–to-prime mapping yielding primes of 252 bits; 2. NonMemCPRSAPrm with LegoGroth16 on theBLS12-381 curve for CPRange, and 252-bit primes; 3. NonMemCPRSAPrm with Bulletproofs on theRistretto curve for CPRange, and 250-bit primes.

The results of our experiments are summarized in Figure 19.

Comparison to other approaches for non-membership Non-membership proofs are usuallya more computationally intensive task in SNARKs. There are two common approaches to deal withthis problem using Merkle trees: sparse Merkle trees and interval Merkle trees. We did not testthese solutions experimentally. However, as we detail below, creating a zero-knowledge proof forone of these solutions would not be more efficient than proving one Merkle tree path. Therefore,our solutions for non-membership achieve at least the same improvement as in the previous section.

Sparse Merkle trees for a set S are built through an ordinary Merkle Tree T on the universe Uof elements (we assume there is some conventional way to index the elements). For each element xnot in the set S we store a dummy element in T corresponding to the index of x. For each elementin the S we store that particular element at the corresponding index. In order to prove that x 6∈ Swe provide an opening path of a Merkle tree whose leaf is a dummy value at the right index.Although there are efficient techniques to build or update a sparse Merkle Tree [LK12, DPP16], themain drawback with this technique is the opening size, which is Θ(log(|U|)) instead of Θ(log(|S|)).If we perform the opening inside a SNARK, we have to pay a higher proving time. For example,consider if we use SHA256 to index elements in a set with a roughly 32 bit-representations. Thiswould require a tree of size 2256 which typically implies at least a 256/32 = 8× slowdown.

Interval Merkle trees work by sorting the leaves on each insertion and storing a pair of adjacentelements in each leaf, signifying intervals that don’t contain elements in the set. The depth of anInterval Merkle Tree is the same as in an ordinary Merkle Tree. Nonetheless it has the followingperformance overheads: (i) opening requires two opening paths instead of only one (typically dou-bling the proving time); (ii) insertion requires sorting all leaves, which may be computationallydemanding if the set is large.

Unlike either of the approaches above, the size of the set does not impact proving time inour constructions. Moreover, both insertions and non-membership witness updates are efficient tocompute.

51

7.4 Improving Running Times: from Statistical ZK to Computational ZK

The schemes described in this section use statistically hiding commitments to achieve statisticalzero-knowledge. We can improve our running times switching to computationally hiding commit-ments and thus computational zero-knowledge. This optimization has concrete benefits as it cancut running times by approximately half. Specifically, it reduces by 50%:

– verification time in constructions MemCPRSA, MemCPRSAPrm, NonMemCPRSA and NonMemCPRSAPrm;

– proving time in constructions MemCPRSAPrm and NonMemCPRSAPrm.

The results of our experiments for membership and non-membership are summarized in Figures20 and 21 respectively.

Here are more details about the optimization. Our protocols, as originally described, make useof the integer commitment of Damgard and Fujisaki [DF02] as described in section 4.1. In thisscheme we hide the value by uniformly sampling an integer r from a large set. Its size should beat least around the order of the group; for RSA groups, for example, this is equivalent to samplingr←$ [1, N/2]. Performing exponentiations with such a large integer—on average N/4 in the RSAcase— is expensive.

To overcome this problem, we propose a computationally hiding integer commitment variantof the above, in which r is picked from a smaller set; we sample it as r←$ [1, 22λ]. The scheme ishiding under the assumption that {Gr1 : r1←$ [1, N/2]} and {Gr2 : r2←$ [1, 22λ]} are computa-tionally indistinguishable 21. This assumption can be justified in the generic group model. Similarassumption related to non-uniform distributions over [1, ord(G)] have been proven secure in GGMby Bartusek et. al. [BMZ19]. This approach makes exponentiations by r faster on average sinceN > 22λ.

Fig. 20: Set Membership benchmarks – Our RSA schemes with the computational ZK optimization(|x|: size of set elements)

Solution |x| Ptime Vtime |crs| |Π|MemCPLG

RSA 252 292 17.6 6852 3

MemCPLGRSAPrm 252 26.11 15.12 86 3

MemCPLGRSAPrm 63 21.95 13.61 86 3

MemCPBPRSAPrm 250 41.53 11.21 8 3.6

MemCPBPRSAPrm 62 16.26 7.83 2 3.6

bits ms ms KB KB

8 Applications

In this section, we discuss applications of our solutions for proving set (non-)membership in asuccinct and modular way.

As one can note, in our solutions the set of committed elements is public and not hidden to theverifier. Nevertheless, our solutions can still capture some applications in which the “actual” data inthe set is kept private. This is for example the case of anonymous cryptocurrencies like Zerocash. In

21 Due to generic lower bounds on the DLOG problem [Sho97], [1, 2λ] would not be enough.

52

Fig. 21: Set non-membership benchmarks – Our RSA schemes with the computational ZK opti-mization (|x|: size of set elements)

Solution |x| Ptime Vtime |crs| |Π|NMemLG

RSA 252 301 22.41 6852 4.2

NMemLGRSAPrm 252 30.26 17.99 86 4.2

NMemBPRSAPrm 250 45.23 14.33 8 4.7

bits ms ms KB KB

this scenario, the public set of elements to be accumulated, U , is derived by creating a commitmentto the underlying data, X, e.g., u = COMM(x). To support this setting, we can use our solutionsfor arbitrary elements (so supporting virtually any commitment scheme). Interestingly, though, wecan also use our (more efficient) solution for sets of primes if commitments are prime numbers. Thiscan be done by using for example the hash-to-prime method described in Section 4.1 or anothermethod for Pedersen commitments that we explain below in the context of Zerocash.

We now discuss concrete applications for which our constructions are suitable, both for set-membership and set non-membership. In particular these are applications in which: (1) the provertime must be small; (2) the size of the state (i.e.: the accumulator value and commitments) must besmall (potentially constant); (3) the verifier time should be small; and (4) the time to update theaccumulator—adding or deleting an element—should be fast. As we discuss below, our RSA-basedconstructions are suitable candidate for settings with these constraints.

Zerocash. Zerocash [BCG+14] is a UTXO-type (Unspent Transaction Output) cryptocurrencyprotocol which extends Bitcoin with privacy-preserving (shielded) transactions. When performinga shielded transaction users need to prove they are spending an output note from a token they hadpreviously received. Users concerned with privacy should not reveal which note they are spending,else their new transaction could be linked to the original note that contained the note commitment.This would reveal information both to the public and the sender of the initial transaction, and hencepartially reveal the transaction graph. In order to keep transactions unlinkable, the protocol useszkSNARKs to prove a set membership relation, namely that a note commitment is in a publiclyknown set of “usable” note commitments.

Zcash is a full-fledged digital currency using Zerocash as the underlying protocol. In its currentdeployment, Sapling [HBHW16], it employs Pedersen commitments of the notes and makes a zero-knowledge set membership proof of these commitments using a Pedersen-Hash-based Merkle treeapproach. This is the part of the protocol that can be replaced by one of our RSA-based solutionsin order to obtain a speedup in proving time. In particular, we could slightly modify the notecommitments in order to enable the use of our scheme MemCPRSAPrm for sets of prime numbers,which gives the best efficiency. We can proceed as follows. Let us recall that the note commitmentsare represented by their x coordinates in the underlying elliptic curve group. We can then modifythem so that the sender chooses a blinding factor such that the commitment representation ofa note is a prime number, and we can add a consensus rule that enforces this check. With thischange, we can achieve a solution that is significantly more efficient than that currently used inZcash. Currently Zcash uses a Merkle Tree whose depth is 32. In this setting, we would be able toreduce proving time of set-membership from 1.12s to 54.51ms, trading it for larger proof sizes. Wenote that in this application, the set-membership proof about u ∈ S is accompanied by anotherpredicate P (u). In the proof statement of the Zcash protocol, proving that P (u) is satisfied takes

53

considerably less time than the membership proof, hence this is why our solution would improve theoverall proving time considerably, albeit the proof having more components. Another interestingcomment is that our solution significantly reduces the size of the circuit, hence the need of a succinctproof system is reduced and one may even consider instantiations with other proof systems, suchas Bulletproofs, that would offer transparency at the price of larger proofs and verification time.

Asset Governance. In the context of blockchain-based asset transfers protocols, a governancesystem must be established to determine who can create new assets. In many cases these assetsmust be publicly traceable (i.e., their total supply must be public), yet in others, where the assetscan be issued privately, validators still need to verify that the assets were issued by an authorizedissuer. Specifically, there may be a public set of rules, X (where a rule = (pk, [a, b])), definingwhich entities (public keys) are allowed to issue which assets (defined by a range of asset types),forming an “issuance whitelist”. When one of those issuers wants to issue a new asset, they need toprove (in zero knowledge) that their public key belongs to the issuance whitelist, which entails setmembership, as well as prove that the asset type they issued is within the allowed range of assettypes (as defined in the original rule). In this case, the accumulated set of rules is public to all,and this public information may also include a mapping between rules and prime numbers. OurRSA-based scheme for sets of primes (Section 4.3) can suit this scenario.

Anonymous Broadcast. In a peer-to-peer setting, anonymous broadcast allows users in a groupto broadcast a message without revealing their identity. They can only broadcast once on eachtopic. One approach described in [sem19] works by asking users to put down a deposit which theywill lose if they try and broadcast multiple messages on the same topic. In this approach usersjoining a group deposit their collateral in a smart contract. Whoever has the private key used bythe client for the deposit can claim the sum. The approach in [sem19] makes sure that the key isleaked if one broadcasts more than one message. To enforce this leakage we require that at broadcasttime users (i) derive an encryption key K that depends on their private key and the topic, and (ii)compute an encryption of the private key by the newly derived K. Then the users publish both theciphertext and a secret share of the encryption key K, and prove (in zero-knowledge) their publickey is part of the group and that (i) and (ii) were performed correctly. Which specific share needsto be revealed depends on the broadcasted message, thus making it likely two different shares willbe leaked for two different messages.

This way, broadcasting multiple messages on the same topic reveals the user’s private key,allowing other users to remove them from the group by calling a function in the smart contractand receive part of the deposit.

A particularly interesting use case for anonymous broadcast is that in which the group is com-prised of validators participating in a consensus algorithm, who would like to broadcast messageswithout exposing their node’s identity and thus prevent targeted DoS attacks. This setting requiresproofs to be computed extremely fast while verification performance requirements are less strict.Our MemCPRSAPrm can satisfy these performance requirements trading for a modest increase inproof size.

Financial Identities. In the financial world, regulations establish that financial organizationsmust know who their costumers are [FIN]. This is called a KYC check and allows to reduce the riskof fraud. Some common practices for KYC often undermines user privacy as they involve collectinga lot of personal information on them. Zero-knowledge proofs allow for an alternative approach.In modern systems, one can expect that individuals or companies will be able to prove that they

54

belong to a set of accepted or legitimate identities. A privacy-preserving KYC check would then bereduced to generating a set-membership proof in zero-knowledge. Often some further informationis required, e.g. the credit score of the individual. In such cases our CP-SNARK for set membershipcan be combined with one proving an additional predicate P (id) on the identity in a modularfashion.

Regarding applications of non-membership proofs, we expand on the well-known concept of“blacklists”, where identities (or credentials) must be shown to not belong to a certain set of iden-tities (or credentials). As an example, in the context of financial identities, anti-money launderingregulations (AML) [SC18] require customers not to be in a list of fraudulent identities. Here onecan use our non-membership construction to generate a proof that the customer does not belongto the set of money launderers (or those thought to be). Because, as in the set-membership case,a user may have to prove additional information about their identity, here we can also benefitfrom a modular framework. Furthermore, modularity allows us to cheaply prove both membershipand non-membership (at the same time) for the same identity id together with some additionalinformation P (id) : holding commitment c(id) one can produce the following tuple of proofs: (1) amembership proof (id ∈ S); (2) a non-membership proof (id 6∈ S′); (3) a CP-SNARK proof thatincludes the statement to be proven on that identity (P (id)).

We note that in some cases, a central authority, who controls the white and black lists, is trustedto ensure the integrity of the lists. This means that the identities can be added or removed fromthe lists, which means that our RSA-based construction is ideal given the comparatively reducedcost of updating the dynamic accumulator.

Zerocoin Vulnerability. Another specific application of our RSA-based constructions is that ofsolving the security vulnerability of the implementation of the Zerocoin protocol [MGGR13] used inthe Zcoin cryptocurrency [Yap19]. The vulnerability in a nutshell: when proving equality of valuescommitted under the RSA commitment and the prime-order group commitment, the equality maynot hold over the integers, and hence one could easily produce collisions in the prime order group.Our work can provide different ways to solve this problem by generating a proof of equality overthe integers.

Acknowledgements

Research leading to these results has been partially supported by the Spanish Government underprojects SCUM (ref. RTI2018-102043-B-I00), CRYPTOEPIC (refs. ERC2018-092822, EUR2019-103816), and SECURITAS (ref. RED2018-102321-T), by the Madrid Regional Government underproject BLOQUES (ref. S2018/TCS-4339), and by research grants from Protocol Labs, and fromNomadic Labs and the Tezos Foundation.

References

AGM18. Shashank Agrawal, Chaya Ganesh, and Payman Mohassel. Non-interactive zero-knowledge proofs forcomposite statements. In Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO 2018, Part III,volume 10993 of LNCS, pages 643–673. Springer, Heidelberg, August 2018.

BBB+18. Benedikt Bunz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, and Greg Maxwell. Bul-letproofs: Short proofs for confidential transactions and more. In 2018 IEEE Symposium on Security andPrivacy, pages 315–334. IEEE Computer Society Press, May 2018.

BBF18a. Dan Boneh, Benedikt Bunz, and Ben Fisch. Batching techniques for accumulators with applications toiops and stateless blockchains. IACR Cryptology ePrint Archive, 2018:1188, 2018.

55

BBF18b. Dan Boneh, Benedikt Bunz, and Ben Fisch. A survey of two verifiable delay functions. Cryptology ePrintArchive, Report 2018/712, 2018. https://eprint.iacr.org/2018/712.

BCF19. Daniel Benarroch, Matteo Campanelli, and Dario Fiore. Community standards proposal for commit-and-prove zero-knowledge proof systems, 2019. https://www.binarywhales.com/assets/misc/zkproof-cp-standards.pdf.

BCG+14. Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, andMadars Virza. Zerocash: Decentralized anonymous payments from bitcoin. In 2014 IEEE Symposium onSecurity and Privacy, pages 459–474. IEEE Computer Society Press, May 2014.

Bd94. Josh Cohen Benaloh and Michael de Mare. One-way accumulators: A decentralized alternative to digitalsinatures (extended abstract). In Tor Helleseth, editor, EUROCRYPT’93, volume 765 of LNCS, pages274–285. Springer, Heidelberg, May 1994.

BH01. Johannes Buchmann and Safuat Hamdy. A survey on {IQ} cryptography, 2001. http://tubiblio.ulb.tu-darmstadt.de/100933/.

BMZ19. James Bartusek, Fermi Ma, and Mark Zhandry. The distinction between fixed and random generators ingroup-based assumptions. In Hovav Shacham and Alexandra Boldyreva, editors, CRYPTO 2019, Part II,LNCS, pages 801–830. Springer, Heidelberg, August 2019.

BP97. Niko Bari and Birgit Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees.In Walter Fumy, editor, EUROCRYPT’97, volume 1233 of LNCS, pages 480–494. Springer, Heidelberg,May 1997.

Cam19. Cambrian Tech. Cryptographic accumulators in rust., 2019. https://github.com/cambrian/

accumulator.CF13. Dario Catalano and Dario Fiore. Vector commitments and their applications. In Kaoru Kurosawa

and Goichiro Hanaoka, editors, PKC 2013, volume 7778 of LNCS, pages 55–72. Springer, Heidelberg,February / March 2013.

CFQ19. Matteo Campanelli, Dario Fiore, and Anaıs Querol. Legosnark: Modular design and composition ofsuccinct zero-knowledge proofs. To appear at ACM CCS 2019. IACR Cryptology ePrint Archive, 2019,2019.

Cha85. David Chaum. Security without identification: Transaction systems to make big brother obsolete. Com-mun. ACM, 28(10):1030–1044, October 1985.

CKS09. Jan Camenisch, Markulf Kohlweiss, and Claudio Soriente. An accumulator based on bilinear maps andefficient revocation for anonymous credentials. In Stanislaw Jarecki and Gene Tsudik, editors, PKC 2009,volume 5443 of LNCS, pages 481–500. Springer, Heidelberg, March 2009.

CL02. Jan Camenisch and Anna Lysyanskaya. Dynamic accumulators and application to efficient revocationof anonymous credentials. In Moti Yung, editor, CRYPTO 2002, volume 2442 of LNCS, pages 61–76.Springer, Heidelberg, August 2002.

CLOS02. Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai. Universally composable two-party andmulti-party secure computation. In 34th ACM STOC, pages 494–503. ACM Press, May 2002.

CMS99. Christian Cachin, Silvio Micali, and Markus Stadler. Computationally private information retrieval withpolylogarithmic communication. In Jacques Stern, editor, EUROCRYPT’99, volume 1592 of LNCS,pages 402–414. Springer, Heidelberg, May 1999.

CPP17. Geoffroy Couteau, Thomas Peters, and David Pointcheval. Removing the strong RSA assumptionfrom arguments over the integers. In Jean-Sebastien Coron and Jesper Buus Nielsen, editors, EU-ROCRYPT 2017, Part II, volume 10211 of LNCS, pages 321–350. Springer, Heidelberg, April / May2017.

cps. Cpsnarks-set. https://github.com/kobigurk/cpsnarks-set.CPZ18. Alexander Chepurnoy, Charalampos Papamanthou, and Yupeng Zhang. Edrax: A cryptocurrency with

stateless transaction validation. 2018.CS99. Ronald Cramer and Victor Shoup. Signature schemes based on the strong RSA assumption. In Juzar

Motiwalla and Gene Tsudik, editors, ACM CCS 99, pages 46–51. ACM Press, November 1999.DF02. Ivan Damgard and Eiichiro Fujisaki. A statistically-hiding integer commitment scheme based on groups

with hidden order. In Yuliang Zheng, editor, ASIACRYPT 2002, volume 2501 of LNCS, pages 125–142.Springer, Heidelberg, December 2002.

DG20. Samuel Dobson and Steven D. Galbraith. Trustless groups of unknown order with hyperelliptic curves.Cryptology ePrint Archive, Report 2020/196, 2020. https://eprint.iacr.org/2020/196.

DPP16. Rasmus Dahlberg, Tobias Pulls, and Roel Peeters. Efficient sparse merkle trees: Caching strategies andsecure (non-)membership proofs. Cryptology ePrint Archive, Report 2016/683, 2016. https://eprint.

iacr.org/2016/683.

56

https://eprint.iacr.org/2018/712

http://tubiblio.ulb.tu-darmstadt.de/100933/

http://tubiblio.ulb.tu-darmstadt.de/100933/

https://github.com/cambrian/accumulator

https://github.com/cambrian/accumulator

https://github.com/kobigurk/cpsnarks-set




DT08. Ivan Damgard and Nikos Triandopoulos. Supporting non-membership proofs with bilinear-map accumu-lators. Cryptology ePrint Archive, Report 2008/538, 2008. http://eprint.iacr.org/2008/538.

EG14. Alex Escala and Jens Groth. Fine-tuning Groth-Sahai proofs. In Hugo Krawczyk, editor, PKC 2014,volume 8383 of LNCS, pages 630–649. Springer, Heidelberg, March 2014.

FFG+16. Dario Fiore, Cedric Fournet, Esha Ghosh, Markulf Kohlweiss, Olga Ohrimenko, and Bryan Parno. Hashfirst, argue later: Adaptive verifiable computations on outsourced data. In Edgar R. Weippl, StefanKatzenbeisser, Christopher Kruegel, Andrew C. Myers, and Shai Halevi, editors, ACM CCS 2016, pages1304–1316. ACM Press, October 2016.

FIN. FINRA. https://www.finra.org/rules-guidance/rulebooks/finra-rules/2090#the-rule.FN02. Nelly Fazio and Antonio Nicolosi. Cryptographic accumulators: Definitions, constructions and applica-

tions. Paper written for course at New York University: www. cs. nyu. edu/nicolosi/papers/accumulators.pdf, 2002.

FO97. Eiichiro Fujisaki and Tatsuaki Okamoto. Statistical zero knowledge protocols to prove modular poly-nomial relations. In Burton S. Kaliski Jr., editor, CRYPTO’97, volume 1294 of LNCS, pages 16–30.Springer, Heidelberg, August 1997.

FT14. Pierre-Alain Fouque and Mehdi Tibouchi. Close to uniform prime number generation with fewer randombits. In Javier Esparza, Pierre Fraigniaud, Thore Husfeldt, and Elias Koutsoupias, editors, ICALP 2014,Part I, volume 8572 of LNCS, pages 991–1002. Springer, Heidelberg, July 2014.

GHR99. Rosario Gennaro, Shai Halevi, and Tal Rabin. Secure hash-and-sign signatures without the randomoracle. In Jacques Stern, editor, EUROCRYPT’99, volume 1592 of LNCS, pages 123–139. Springer,Heidelberg, May 1999.

GMR89. Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proofsystems. SIAM Journal on Computing, 18(1):186–208, 1989.

Gro16. Jens Groth. On the size of pairing-based non-interactive arguments. In Marc Fischlin and Jean-SebastienCoron, editors, EUROCRYPT 2016, Part II, volume 9666 of LNCS, pages 305–326. Springer, Heidelberg,May 2016.

GS08. Jens Groth and Amit Sahai. Efficient non-interactive proof systems for bilinear groups. In Nigel P.Smart, editor, EUROCRYPT 2008, volume 4965 of LNCS, pages 415–432. Springer, Heidelberg, April2008.

GW11. Craig Gentry and Daniel Wichs. Separating succinct non-interactive arguments from all falsifiable as-sumptions. In Lance Fortnow and Salil P. Vadhan, editors, 43rd ACM STOC, pages 99–108. ACM Press,June 2011.

HBHW16. Daira Hopwood, Sean Bowe, Taylor Hornby, and Nathan Wilcox. Zcash protocol specification. Tech.rep. 2016–1.10. Zerocoin Electric Coin Company, Tech. Rep., 2016. https://github.com/zcash/zips/

blob/master/protocol/sapling.pdf.Hen19. Henry de Valence. Merlin: composable proof transcripts for public-coin arguments of knowledge, 2019.

https://github.com/dalek-cryptography/merlin.LdV. Isis Agora Lovecruft and Henry de Valence. curve25519-dalek: A pure-rust implementation of group

operations on ristretto and curve25519. https://github.com/dalek-cryptography/curve25519-dalek.Lee20. Jonathan Lee. The security of groups of unknown order based on jacobians of hyperelliptic curves.

Cryptology ePrint Archive, Report 2020/289, 2020. https://eprint.iacr.org/2020/289.leg. Rust implementation of LegoGroth16. https://github.com/kobigurk/legogro16.lib. cpsnarks-librustzcash. https://github.com/kobigurk/cpsnarks-librustzcash.Lip12. Helger Lipmaa. Secure accumulators from euclidean rings without trusted setup. In Feng Bao, Pierangela

Samarati, and Jianying Zhou, editors, ACNS 12, volume 7341 of LNCS, pages 224–240. Springer, Hei-delberg, June 2012.

LK12. Ben Laurie and Emilia Kasper. Revocation transparency. Google Research, September, page 33, 2012.LLNW16. Benoıt Libert, San Ling, Khoa Nguyen, and Huaxiong Wang. Zero-knowledge arguments for lattice-

based accumulators: Logarithmic-size ring signatures and group signatures without trapdoors. In MarcFischlin and Jean-Sebastien Coron, editors, EUROCRYPT 2016, Part II, volume 9666 of LNCS, pages1–31. Springer, Heidelberg, May 2016.

LLX07. Jiangtao Li, Ninghui Li, and Rui Xue. Universal accumulators with efficient nonmembership proofs.In Jonathan Katz and Moti Yung, editors, ACNS 07, volume 4521 of LNCS, pages 253–269. Springer,Heidelberg, June 2007.

LY10. Benoıt Libert and Moti Yung. Concise mercurial vector commitments and independent zero-knowledgesets with short proofs. In Daniele Micciancio, editor, TCC 2010, volume 5978 of LNCS, pages 499–517.Springer, Heidelberg, February 2010.

57

http://eprint.iacr.org/2008/538

https://www.finra.org/rules-guidance/rulebooks/finra-rules/2090#the-rule

https://github.com/zcash/zips/blob/master/protocol/sapling.pdf

https://github.com/zcash/zips/blob/master/protocol/sapling.pdf

https://github.com/dalek-cryptography/merlin

https://github.com/dalek-cryptography/curve25519-dalek


https://github.com/kobigurk/legogro16

https://github.com/kobigurk/cpsnarks-librustzcash

Mer88. Ralph C. Merkle. A digital signature based on a conventional encryption function. In Carl Pomerance,editor, CRYPTO’87, volume 293 of LNCS, pages 369–378. Springer, Heidelberg, August 1988.

MGGR13. Ian Miers, Christina Garman, Matthew Green, and Aviel D. Rubin. Zerocoin: Anonymous distributedE-cash from Bitcoin. In 2013 IEEE Symposium on Security and Privacy, pages 397–411. IEEE ComputerSociety Press, May 2013.

Ngu05. Lan Nguyen. Accumulators from bilinear pairings and applications. In Alfred Menezes, editor, CT-RSA 2005, volume 3376 of LNCS, pages 275–292. Springer, Heidelberg, February 2005.

OWWB19. Alex Ozdemir, Riad S. Wahby, Barry Whitehat, and Dan Boneh. Scaling verifiable computation usingefficient set accumulators. Cryptology ePrint Archive, Report 2019/1494, 2019. https://eprint.iacr.

org/2019/1494.PHGR13. Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. Pinocchio: Nearly practical verifiable

computation. In 2013 IEEE Symposium on Security and Privacy, pages 238–252. IEEE Computer SocietyPress, May 2013.

PST13. Charalampos Papamanthou, Elaine Shi, and Roberto Tamassia. Signatures of correct computation. InAmit Sahai, editor, TCC 2013, volume 7785 of LNCS, pages 222–242. Springer, Heidelberg, March 2013.

PSTY13. Charalampos Papamanthou, Elaine Shi, Roberto Tamassia, and Ke Yi. Streaming authenticated datastructures. In Thomas Johansson and Phong Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 ofLNCS, pages 353–370. Springer, Heidelberg, May 2013.

Ray19. James Ray. Patricia tree, 2019. https://github.com/ethereum/wiki/wiki/Patricia-Tree.rsa. Rsa-2048. https://en.wikipedia.org/wiki/RSA_numbers#RSA-2048.SC18. U.S. Securities and Exchange Commission. Anti-money laundering (aml) source tool for broker-dealers,

October 2018. https://www.sec.gov/about/offices/ocie/amlsourcetool.htm.SCI. SCIPR Lab. Zexe (zero knowledge execution). https://github.com/scipr-lab/zexe.sem19. Semaphore rln, rate limiting nullifier for spam prevention in anonymous p2p setting, February 2019.

https://ethresear.ch/t/semaphore-rln-rate-limiting-nullifier-for-spam-prevention-in-anonymous-p2p-setting/

5009.Sho97. Victor Shoup. Lower bounds for discrete logarithms and related problems. In Walter Fumy, editor,

EUROCRYPT’97, volume 1233 of LNCS, pages 256–266. Springer, Heidelberg, May 1997.Val08. Paul Valiant. Incrementally verifiable computation or proofs of knowledge imply time/space efficiency.

In Ran Canetti, editor, TCC 2008, volume 4948 of LNCS, pages 1–18. Springer, Heidelberg, March 2008.Wes18. Benjamin Wesolowski. Efficient verifiable delay functions. Cryptology ePrint Archive, Report 2018/623,

2018. https://eprint.iacr.org/2018/623.Yap19. Reuben Yap. Cryptographic description of zerocoin attack, 2019. https://zcoin.io/cryptographic-

description-of-zerocoin-attack/.Zca. Zcash. Zcash rust crates. https://github.com/zcash/librustzcash.ZGK+17. Yupeng Zhang, Daniel Genkin, Jonathan Katz, Dimitrios Papadopoulos, and Charalampos Papaman-

thou. A zero-knowledge version of vSQL. Cryptology ePrint Archive, Report 2017/1146, 2017.https://eprint.iacr.org/2017/1146.

ZKP17. Y. Zhang, J. Katz, and C. Papamanthou. An expressive (zero-knowledge) set accumulator. In 2017 IEEEEuropean Symposium on Security and Privacy (EuroS P), pages 158–173, April 2017.

ZXZS20. Jiaheng Zhang, Tiancheng Xie, Yupeng Zhang, and Dawn Song. Transparent polynomial delegation andits applications to zero knowledge proof. IEEE Symposium on Security and Privacy, 2020.

A Accumulator Definitions

Below is the definition of Accumulators, following the definition of [FN02]. We insist on public keyaccumulators, meaning that after the key generation phase no party has access to the secret key.

Definition A.1 (Accumulators). A static (non-Universal) Accumulator with domain X is atuple of 4-algorithms, Acc = (Gen,Eval,Witness,VerWit)

Gen(1λ, t) → (sk, ek, vk) is a (probabilistic) algorithm that takes the security parameter λ and aparameter t for the upper bound of the number of elements to be accumulated. If t =∞ there isno upper bound. Returns a secret key sk, an evaluation key ek and a verification key vk.

58



https://en.wikipedia.org/wiki/RSA_numbers#RSA-2048

https://www.sec.gov/about/offices/ocie/amlsourcetool.htm

https://github.com/scipr-lab/zexe

https://ethresear.ch/t/semaphore-rln-rate-limiting-nullifier-for-spam-prevention-in-anonymous-p2p-setting/5009

https://ethresear.ch/t/semaphore-rln-rate-limiting-nullifier-for-spam-prevention-in-anonymous-p2p-setting/5009


https://github.com/zcash/librustzcash


Eval(ek,X ) → (accX , aux) takes the evaluation key and a set X and in case X ⊆ X outputs theaccumulated value accX and some auxiliary information aux. If X * X outputs ⊥.

Witness(ek, x, aux) → witx takes the evaluation key ek, the value x and the auxiliary informationaux and outputs either a witness witx of x ∈ X or ⊥ if x /∈ X .

VerWit(vk, accX , x, w) → b takes the verification key vk, the accumulation value accX , a value xand a witness w and outputs 1 if witx is a witness of x ∈ X and 0 otherwise.

Further, we give the definition of Dynamic Accumulators, a notion that was introduced byCamenisch and Lysyanskaya [CL02]. Dynamic Accumulators are Accumulators that additionallyprovide the ability to update the accumulated value and the witnesses when the set is updated,either on addition of a new element or on deletion.

Definition A.2 (Dynamic Accumulators). A Dynamic Accumulator Acc with domain X is astatic Accumulator that additionally provides three algorithms (Add,Delete,WitUpdate).

Add(ek, accX , y, aux)→ (accX ′ , aux′) takes the evaluation key ek, the accumulated value accX , thevalue to be added to the set y and the auxiliary information aux. If y /∈ X ∧ y ∈ X outputs thenew accumulation value for X ′ = X ∪ {y}, accX ′ and a new auxiliary information aux′. In casey ∈ X or y /∈ X outputs ⊥.

Delete(ek, accX , y, aux) → (accX ′ , aux′) takes the evaluation key ek, the accumulated value accX ,the value to be deleted from the set y and the auxiliary information aux. If y ∈ X ∧y ∈ X outputsthe new accumulation value for X ′ = X \ {y}, accX ′ and a new auxiliary information aux′. Incase y /∈ X or y /∈ X outputs ⊥.

WitUpdate(ek, witx, y, aux) → wit′x takes the evaluation key ek, a witness witx to be updated, thevalue y that was either added or deleted from X and the auxiliary information. In case x ∈ X ′outputs the updated witness wit′x, otherwise outputs ⊥.

Normally, we demand that update algorithms, Add and Delete are more efficient than recomputingthe accumulation value from scratch with Eval. However in the publicly updatable setting this isnot always possible, while it may be possible when the party holds the secret key. Still in this workwe treat public key accumulators.

Security Correctness. For every t = poly(λ) and |X | ≤ t:

Pr

(sk, ek, vk)← GenAcc(1λ, t);

accX ← EvalAcc(ek,X );

w ←Witness(ek,X , x)

: VerWit(vk, accX , x, w)

= 1

Soundness. A cryptographic accumulator is sound if for all t = poly(λ) and for all PPT adversariesA there is a negligible function negl(·) such that:

Pr

[(sk, ek, vk)← GenAcc(1λ, t); (y∗, wit∗y,X ∗)← A(1λ, ek, vk);

accX ∗ ← EvalAcc(ek,X ∗) : VerWit(vk, accX ∗ , y∗, wit∗y) = 1 ∧ y∗ ∈ X ∗

]≤ negl(λ)

59

A.1 Dynamic Strong RSA Accumulators

We formally define Dynamic Strong RSA Accumulators [Bd94, BP97, CL02] described in section4.1. It has domain X = Primes.

Gen(1λ,∞) → (sk, ek, vk) samples an RSA modulus (N, (q1, q2)) ← GenSRSAmod(1λ) and a gen-erator F ←$Z∗N and computes a quadratic residue G← F 2 (mod N).

Return (sk, ek, vk)← ((q1, q2), (N,G), (N,G))

Eval(ek,X ) → (accX , aux) parses ek := (N,G). If X * Primes return ⊥, otherwise computesprodX :=

∏xi∈X xi and

Return (accX , aux)← (GprodX mod N,X )

Witness(ek, x, aux)→ witx parses ek := (N,G), X := aux and computes prodX\{x} :=∏xi∈X\{x} xi

Return witx ← GprodX\{x} mod N

VerWit(vk, accX , x, w)→ b parses vk := (N,G)

Return b← (wx = accX (mod N))

Security of strong RSA Accumulator and Batch-Verification Collision Freeness of theabove Accumulator comes directly from strong RSA assumption. What is more interesting is thatthe same scheme allows for many memberships to be verified at the same time, what is calledbatch-verification. That is, given x1, . . . , xm ⊆ Primes one can compute a batch-witness W =GprodX\{x1,...,xm} and the verification will be b ← (W x1...xm = accX ). Again the security of thebatch-verification comes from strong RSA assumption and it allows us argue that for any W,x ifW x = accX := GprodX then x ∈ ΠX , meaning that x is a product of primes of the set X .

B Generic CP-SNARK for set membership from accumulators with proof ofknowledge

We show here that any accumulator Acc scheme together with a zero knowledge proof of knowl-edge that a committed value is accumulated, with a commitment scheme Com, can genericallyconstruct a CP-SNARK for set membership. Let CPAccWit be a zero knowledge proof for the rela-tion RAccWit((Acc, cu), (wit, u, o)) = 1 iff VerCommit(ck, cu, u, o) = 1 ∧ VerWit(vk, Acc, u, wit) = 1.Consider a type commitment scheme that takes one type for sets that can be accumulated by Accand one for elements of the domain of Com. So it is the canonical composition of ComAcc • Com,where ComAcc is decribed in figure 22.

Setup((1λ, t)) : computes (sk, ek, vk)← Acc.Gen(1λ, t) and returns ck := (ek, vk).Commit(ck, tU , U) : parses ck := (ek, vk), computes (Acc, aux)← Eval(ek, U) and returns (c, o) := (Acc,∅).VerCommit(ck, tU , c, U,∅) : parses ck := (ek, vk), computes (Acc, aux)← Eval(ek, U) and return 1 iff c = Acc.

Fig. 22: ComAcc

Finally the generic CP-SNARK can be seen in figure 23.

60

KeyGen(ck, R∈) : Generate the crsAccWit ←$CPAccWit.KeyGen(RAccWit)Return crs := crsAccWit.

Prove(crs, (cU , cu), (U, u), (∅, o)) : parse ck := ((ekAcc, vkAcc), ckCom) and compute witu ← Acc.Witness(ek, u, U).Then compute πAccWit ← CPAccWit.Prove(crs, (Acc, cu), (wit, u, o))Return π := πAccWit

VerProof(crs, (cU , cu), π) : Return 1 iff CPAccWit.VerProof(crsAccWit, (ce, cU ), πRoot) = 1.

Fig. 23: MemCPAcc CP-SNARK for set membership

Theorem B.1. Let Com be a computationally binding commitment scheme, Acc a sound Accu-mulator scheme and CPAccWit be a knowledge sound proof then MemCPAcc is a knowledge-soundwith partial opening of the set commitments cU for the Rmem relation and the ComAcc commitmentscheme. Furthermore, if Com,is statistically hiding commitments and CPAccWit is zero-knowledge,then MemCPAcc is zero-knowledge.

C Vector Commitments

A vector commitment (VC) [LY10, CF13] is a primitive that allows one to commit to a vectorv of length n in such a way that it can later open the commitment at any position i ∈ [n]. Interms of security, a VC should be position binding in the sense that it is not possible to opena commitment to two different values at the same position. Also, what makes VC an interestingprimitive is conciseness, which requires commitment and openings to be of fixed size, independentof the vector’s length. Furthermore, a vector commitment can also support updates, meaning thatupdates in the underlying vector allow efficient updates of the commitment and the opening proofs.We note that in this case position binding should also hold with respect to updates.

C.1 Definition

We follow the definition of a Vector Commitment Scheme and its security with respect to updatesas defined in [CPZ18].

Definition C.1. A Vector Commitment Scheme is tuple of PPT algorithms, VC = (KeyGen,Com,Prove,Ver,UpdateCom,UpdateCom):

KeyGen(1λ, n)→ (prk, vrk, upk0, . . . , upkn−1) : given the security parameter λ and the size n of thecommitted vector it outputs a prover key prk, a verifier key vrk and update keys upk0, . . . , upkn−1.

Com(prk, a0, . . . , an−1)→ diga : given prover key prk and vector a = (a0, ..., an−1), it outputs adigest diga of vector a.

Prove(prk, i,a)→ (ai, πi) : given prover key prk, a vector a = (a0, ..., an−1) and an index i, itoutputs the element ai in the i-th position of the vector and a proof πi.

Ver(vrk, dig, i, a, π)→ b : given the verifier key prk, a digest dig, an index i, a value a and a proofπ it outputs 1 iff π is a valid proof that a is in the i-th position of the vector that is committedin dig.

UpdateCom(dig, i, δ, upki)→ dig′ : given a digest dig, an index i, an update δ and an update key ofi-th position it outputs an updated digest dig′ of a vector the same as before but with value a+ δ(instead of a) in the i-th position.

61

UpdateProof(π, i, δ, upki)→ π′ : given a digest dig, an index i, an update δ and an update key ofi-th position it outputs an updated proof that a + δ (instead of a) is in the i-th position of thevector.

Soundness A Vector Commitment Scheme VC is sound if for all PPT adversaries A the belowprobability is negl(λ)

Pr

Ver(vrk, dig, i, a, π) = 1

∧ a 6= ai:

(n, state)← A(prk, vrk, upk0, . . . , upkn−1)← KeyGen(1λ, n)

a← Adig← Com(prk,a)

for k = 1, . . . , t = poly(λ)

(j, δ)← Adig← UpdateCom(dig, j, δ, upkj)

endfor

(i, a, π)← A

= negl(λ)

C.2 EDRAX - A Vector Commitment from multilinear extensions

Multilinear Extension of vectors Let F be a field and n = 2`. Multilinear Extension of a vectora a = (a0, . . . , an−1) in F is a polynomial fa : F` → F with variables x1, . . . , x`

fa(x1, . . . , x`) =n−1∑i=0

ai ·∏k=1

selectik(xk)

where iì`−1 . . . i2i1 is the bit representation of i and selectik(xk) =

{xk, if ik = 1

1− xk, if ik = 0

A property of Multilinear extension of a is that fa(i1, . . . , i`) = ai for each i ∈ [n].

Vector Commitment Scheme We describe the EDRAX Vector Commitment:

Definition C.2. Let a bilinear group bp = (q, g,G1,GT , e)← RG(1λ) generated by a group gener-ator. Let n = 2` be the length of the vector and 2[`] be the powerset of [`] = {1, . . . , `}

KeyGen(1λ, n)→ (prk, vrk, upk0, . . . , upkn−1) : samples random s1, . . . , s`←$F and computes prk←{g∏i∈S si : S ∈ 2[`]

}and vrk← {gs1 , . . . , gs`}. For each i = 0, . . . , n−1 computes the update key

upki ←{g∏tk=1 selectik (sk) : t = 1, . . . , `

}:= {upki,t : t = 1, . . . , `}.

Com(prk, a0, . . . , an−1)→ diga : let a := (a0, . . . , an−1). Computes diga ← gfa(s1,...,s`) where fa isthe multilinear extension of vector a as described above.

Prove(prk, i,a)→ (ai, πi) : let x = (x1, . . . , x`) be an `-variable. Compute q1, . . . , q` such that fa(x)−fa(i1, . . . , i`) =

∑`k=1(xk − ik)qk(x) and πi ←

{gq1(s), . . . , gq`(s)

}(where gqi(s) is evaluated by

using prk :={g∏i∈S si : S ∈ 2[`]

}without s).

62

Ver(vrk, dig, i, a, π)→ b : parse π := (w1, . . . , w`) and outputs 1 iff e(dig/ga, g) =∏`k=1 e(g

sk−ik , wk)

UpdateCom(dig, i, δ, upki)→ dig′ : computes dig′ ← dig ·[g∏`k=1 selectik (sk)

]δ:= dig ·

[upki,`

]δ=

g(ai+δ)·∏`k=1 selectik (sk)+

∑n−1j=0,j 6=i aj ·

∏`k=1 selectjk (sk)

UpdateCom(π, i, a′, upki)→ π′ : Parses π := (w1, . . . , w`) and computes w′k ← wk · g∆i(s) for eachk = 1, . . . , `, where ∆k(x) are the delta polynomials computed by the DELTAPOLYNOMIALSalgorithm (for more details about the algorithm and its correctness we refer to [CPZ18]).

The above scheme is proven in [CPZ18] to satisfy the Soundness property under the q-StrongBilinear Diffie-Hellman assumption.

D Another Instantiations of Protocol for RCoprime

Below we propose another interactive ZK protocol for RCoprime. The difference with the above is thatit doesn’t have the limitation of λs + 1 < µ and λs < log(N)/2. Also, partial opening of Acc isn’tneeded. This comes with a cost of 2 more group elements in the proof size, 4 more exponentiationsfor the prover and 2 more for the verifier.

1. Prover computes Ca = DHra , Cra = GraHr′a , Cb = GbHρb , CB = AccbHρB , CρB = GρBHρ′B andsends to the verifier:

P → V : Ca, Cb, Cra , CB, CρB2. Prover and Verifier perform a protocol for the relation:

R((Acc, Ce, Ca, Cra , Cb, CB, CρB ), (e, r, ra, r′a, b, ρb, ρB, ρ

′B, D,B, β, δ)) = 1 iff

Cb = GbHρb ∧ CB = AccbHρB ∧ Ce = GeHr ∧ Cra = GraHr′a

∧CρB = GρBHρ′B ∧ CeaCB = GHβ ∧ CeraCρB = GβHδ

Let λs be the size of the challenge space, λz be the statistical security parameter and µ the sizeof e.

– Prover samples:

rb, re←$


)rρb , rρB , rr, rra , rr′a , rρ′B ←$


)rβ, rδ←$


)and computes:

α1 = GrbHrρb , α2 = AccrbHrρB , α3 = GreHrr , α4 = GrraHrr′a ,

α5 = Crea Hrβ , α6 = CreraG


P → V : (α1, α2, α3, α4, α5, α6, α7)


63


sb = rb − cb, se = re − cesρb = rρb − cρb, sρB = rρB − cρB, sr = rr − cr, sra = rra − cra, sr′a = rr′a − cr

′a, sρ′B = rρ′B − cρ

′B

sβ = rβ + c(era + ρB), sδ = rδ + c(er′a + ρ′B)

P → V : (sb, se, sρb , sρB , sr, sra , sr′a , sρ′B , sβ, sδ)


α1?= CcbG

sbHsρb , α2?= CcBAccsbHsρB , α3

?= CceG

seHsr , α4?= CcraG

sraHsr′a ,

α5?= Csea H

sβGcC−cB , α6?= CseraH

sδGsβC−cρB , α7?= CcρBG

sρBHsρ′B ,

se?∈[−2λz+λs+µ+1, 2λz+λs+µ+1

]

Coprime2 protocol


Prove(crs, (Ce,Acc), (e, r, (D, b))) :

1. samples ra, ra′ , ρb, ρB , ρB′ ←$ (−bN/4c , bN/4c) and computes Ca = DHra , Cra = GraHr′a , Cb =

GbHρb , CB = AccbHρB , CρB = GρBHρ′B .2. Computes the non-interactive version of the above protocol

rb, re ←$(−2λz+λs+µ, 2λz+λs+µ

)rρb , rρB , rr, rra , rr′a , rρ′B ←$


)rβ , rδ ←$


)α1 = GrbHrρb , α2 = AccrbHrρB , α3 = GreHrr , α4 = GrraH

rr′a , α5 = Crea Hrβ , α6 = CreraG

rβHrδ , α7 =

GrρBHrρ′B

c← H(α1, α2, α3, α4, α5, α6, α7, Ce, Acc)sb = rb − cb, se = re − ce, sρb = rρb − cρb, sρB = rρB − cρB , sr = rr − cr, sra = rra − cra, sr′a =rr′a − crra , sρ′B = rρ′

B− cρ′B , sβ = rβ + c(era + ρB), sδ = rδ + c(er′a + ρ′B)

Returns π ← (Ca, Cra , Cb, CB , CρB , α1, α2, α3, α4, csb, se, sρb , sρB , sr, sra , sr′a , sρ′B , sβ , sδ)

VerProof(crs, (Ce, Acc), π) : returns 1 iff α1 = CcbGsbHsρb ∧ α2 = CcBAcc

sbHsρB ∧ α3 = CceGseHsr ∧

α4 = CcraGsraH

sr′a ∧ α5 = Csea HsβGcC−cB ∧ α6 = CseraH

sδGsβC−cρB ∧ α7 = CcρBGsρBH

sρ′B ∧ ∧se ∈[

−2λ+λs+µ+1, 2λ+λs+µ+1]

Fig. 24

64

Correctness. Here we show the correctness of the protocol.

α1 = GrbHrρb = Gsb+cbHsρb+crb = GsbHsρb (GbHρb)c

= GsbHsρbCcb

α2 = AccrbHrρB = Accsb+cbHsρB+cρB = AccsrbHsρB (AccbHρB )c

= AccsbHsρBCcB

α3 = GreHrr = Gse+ceHsr+cr = GseHsr(GeHr)c

= GseHsrCce

α4 = GrraHrr′a = Gsra+craH

sr′a+cr′a = GsraH

sr′a (GraHr′a)c

= GsraHsr′aCcra

α5 = Crea Hrβ = Cse+cea Hsβ−c(era+ρB) = Csea H

sβ (DeHera)cH−c(era+ρB)

= Csea Hsβ (DeH−ρB )c = Csea H

sβ (GAcc−bH−ρB )c =

= Csea HsβGcC−cB

α6 = CreraGrβHrδ = Cse+cera Gsβ−c(era+ρB)Hsδ−c(er′a+ρ′B)

= CseraGsβHsδ(GraHr′a)ceG−c(era+ρB)H−c(er

′a+ρ

′B) = CseraG

sβHsδG−cρBH−cρ′B

= CseraGsβHsδC−cρB

α7 = GrρBHrρ′B = GsρB+cρBH

sρ′B+cρ′B = GsρBH

sρ′B (GρBHρ′B )c

= GsρBHsρ′BCcρB

Security.

Theorem D.1. Let Z∗N be an RSA group where strong-RSA assumption holds, then the aboveprotocol is an honest-verifier zero knowledge and knowledge sound protocol for RCoprime.

Proof Zero-Knowledge can be proven with standard techniques, similar to the ones in the proofof theorem 4.6 and is therefore omitted.

For the knowledge soundness, let an adversary of the knowledge soundness A that is able toconvince the verifier V with a probability at least ε. We will construct an extractor E that extractsthe witness (e, r, r2, r3, β, δ). Using rewinding E gets two accepted transcripts

(Ca, Cb, Cra , CB, CρB , α1, α2, α3, α4, α5, α6, α7, c, sb, se, sρb , sρB , sr, sra , sr′a , sρ′B , sβ, sδ)

(Ca, Cb, Cra , CB, CρB , α1, α2, α3, α4, α5, α6, α7, c′, s′b, s

′e, s′ρb, s′ρB , s

′r, s′ra , s

′r′a, s′ρ′B

, s′β, s′δ)

on two different challenges c and c′. E aborts if it cannot get two such transcripts (abort1).We denote ∆c := c′−c,∆sb := sb−s′b, ∆se := se−s′e, ∆sρb := sρb−s′ρb , ∆sρB := sρB−s′ρB , ∆sr :=

sr − s′r, ∆sra := sra − s′ra , ∆sr′a := sr′a − s′r′a, ∆sρ′B

:= sρ′B − s′ρ′B, ∆sβ := sβ − s′β, ∆sδ := sδ − s′δ then

C∆cb = G∆sbH∆sρb ⇒ Cb = ±GbH ρb (9)

C∆cB = Acc∆sbH∆sρB ⇒ CB = ±AccbH ρB (10)

C∆ce = G∆seH∆sr ⇒ Ce = ±GeH r (11)

65

C∆cra = G∆sraH∆sr′a ⇒ Cra = ±GraH r′a (12)

1 = C∆sea H∆sβG−∆cC∆cB (13)

1 = C∆sera H∆sδG∆sβC∆cρB (14)

C∆cρB = G∆sρBH∆sρ′

B ⇒ CρB = ±GρBH ρ′B (15)

define the (possibly rational) numbers b := ∆sb∆c , ρb :=

∆sρb∆c , e := ∆se

∆c , r := ∆sr∆c , ra := ∆sra

∆c ,

r′a :=∆sr′a∆c , ρB :=

∆sρB∆c , ρ′B :=

∆sρ′B

∆c .

E aborts in case ∆c doesn’t divide: ∆sb and ∆sρb(abort 2a), ∆se and ∆sr(abort 2b), ∆sra and∆sr′a(abort 2c), ∆sρB and ∆sρ′B (abort 2d). And finally, E aborts if ∆c doesn’t divide ∆sρB (abort 2e).Therefore, after these aborts didn’t happen we can infer the equivalent equalities on the right ofequations 9,11,12,15 and 10.

If we replace equations 12 and 15 in equation 14 we get 1 =(±GraH r′a

)∆seH∆sβG∆sβ

(±GρBH ρ′B

)∆cor 1 = (±1)∆se(±1)∆cGra∆se+ρB∆c+∆sβH r′a∆se+ρ

′B∆c+∆sβ . Since G,H, 1 are quadratic residues then

(±1)∆se(±1)∆c = 1, hence 1 = Gra∆se+ρB∆c+∆sβH r′a∆se+ρ′B∆c+∆sβ . Then under the DLOG assump-

tion ra∆se + ρB∆c+∆sβ = 0 = r′a∆se + ρ′B∆c+∆sβ, which gives us that

∆sβ = −ra∆se − ρB∆c (16)

Finally, we replace equations 10 and 16 in equation 13 we get 1 = C∆sea H−ra∆se−ρB∆cG−∆c(±AccbH ρB

)∆cor 1 = (±1)∆cC∆sea Accb∆cG−∆cH−ra∆se or

(±AccbG−1

)∆c=(C−1a Hra

)∆se . But as noted above

∆c divides ∆se so ±AccbG−1 = ±(C−1a Hra

)e ⇒ AccbG−1 = ±(C−1a H ra

)e ⇒ (CaH ra

)eAccb = ±G.

We discern two cases:

–(CaH ra

)eAccb = +G: Then E sets D ← Ca

H ra, e← e := ∆se

∆c , r ← r := ∆sr∆c and b← b := ∆sb

∆c

–(CaH ra

)eAccb = −G: Then e should be odd otherwise if e = 2ρ then G = −

(CaH ra

)2ρAccb would be

a non-quadratic residue. So E sets D ← − CaH ra

, e ← e := ∆se∆c , r ← r := ∆sr

∆c and b ← b := ∆sb∆c .

It is clear that DeAccb = G.

Finally the E outputs (e, r, D, b).

Now we show that the probability the extractor terminates with outputting a valid witnessis O(ε). If the extractor does not abort then it clearly outputs a valid witness (under factoringassumption). For the first abort, with a standard argument it can be shown that the extractor isable to extract two accepting transcripts with probabilityO(ε) (for the probabilistic analysis we referto [DF02]). Thus Pr[abort1] = 1−O(ε). For the aborts abort 2a, abort 2b, abort 2c and abort 2d theyhappen with negligible probability (≤ 2

1−2−λs+1Pr[B solves sRSA] each, for any PPT adversary B)under the strong RSA assumption according to lemma 4.2. For abort 2e we show in the lemma belowthat in case it happens an adversary can solve the strong RSA problem. Putting them together the

probability of success of E is at least O(ε)−(

81−2−λs+1 + 1

)Pr[B solves sRSA] = O(ε)− negl(λs).

Lemma D.1. If ∆c divides ∆sb then it also divides ∆ρB under the strong RSA assumption.

66

Proof An adversary to the strong RSA assumption receives H ∈ QRN and does the following:set G = Hτ for τ ←$ [0, 2λsN2] and send (G,H) to the adversary A which outputs a proof πCoprime2.Then we rewind to get another successful proof π′Coprime2 and we use the extractor as above to get

C∆cB = Acc∆sbH∆sρB .

Assume that ∆c - ∆ρB. Since ∆c divides ∆sb then there is a k such that k · ∆c = ∆sb.

Then C∆cB = Acck·∆cH∆sρB ⇒(CBAcc−k

)∆c= H∆sρB . From assumption ∆c doesn’t divide ∆ρB,

so gcd(∆c,∆ρB) = g for a g 6= ∆c,∆ρB. Hence, there are there are χ, ψ such that χ · ∆c +

ψ · ∆ρB = g. Thus, Hg = Hχ·∆c+ψ·∆ρB = Hχ∆c(CBAcc−k

)ψ∆c=(HχCψBAcc−ψk

)∆cso H =

±(HχCψBAcc−ψk

)∆cg

. Now since H and Acc are quadratic residues (and so is CB) we get that

H =(HχCψBAcc−ψk

)∆cg

and thus(HχCψBAcc−ψk, ∆cg

)is a solution to the strong RSA problem.

ut

By a simple argument identical to the one of section 4.4, we can also conclude about the range of

the extracted e: se?∈[−2λz+λs+µ+1, 2λz+λs+µ+1

]implies −2λz+λs+µ+2 ≤ e ≤ 2λz+λs+µ+2. ut

E Instantiation over Hidden Order Groups

In sections 4, 5 we construct zero knowledge protocols for set membership/non-membership, wherethe sets are committed using an RSA accumulator. The integer commitment scheme IntCom, theRSA accumulator-based commitments to sets SetComRSA, SetComRSA′ , the proof of equality modEq,the argument of knowledge of a root Root and the argument of knowledge of coprime elementCoprime are all working over RSA groups.

Although in our work above we specify the group to be an RSA group, we note that our protocolscan also work over any Hidden Order Group. For example Class Groups [BH01] or the recentlyproposed groups from Hyperelliptic Curves [DG20, Lee20].

Here we describe the (slight) modifications, in the protocols and the assumptions under whichthey would be secure, that are necessary to switch to (general) Hidden Order Groups.

Let Ggen(1λ) be a probabilistic algorithm that generates such a group G with order in a specificrange [ordmin, ordmax] such that 1

ordmin, 1ordmax

, 1ordmax−ordmin ∈ negl(λ).

The additional assumption that we need to make is that it is hard to find any group element inG of low (poly-size) order. This is the Low Order Assumption [BBF18b]], which is formally definedbelow:

Definition E.1 (Low Order Assumption [BBF18b]). We say that the low order assumptionholds for a Ggen if for any PPT adversary A:

Pr

u` = 1

∧u 6= 1

∧1 < ` < 2poly(λ):G← Ggen(λ)

(u, `)← A(G)

= negl(λ)

We note that specifically for RSA groups, for Low Order assumption to hold, we have to work inthe quotient group Z∗N/{1,−1} [Wes18], since otherwise−1 would trivially break the assumption. So

67

Z∗N/{1,−1} would be an instantiation of a Hidden Order Group where the Low Order assumptionholds.

In terms of constructions, one difference regards the upper bound on the order of G that isused in the protocols. More precisely, throughout the main core of our work we use N as an upperbound for the order of the group Z∗N and N/2 as an upper bound for the order of the quadraticresidues subgroup QRN . Similarly, in a Hidden Order Group G generated by Ggen, although theorder of the group is unknown, a range in which the order lies is known [ordmin, ordmax]. So themaximum order ordmax can be used, instead of N , as an upper bound. In many cases these valuesare used either to securely sample a random value or to bound the size of a value needed for asecurity proof. For example a random value that is sampled from


)in the RSA group instantiation will be sampled from

(−ordmax

2 2λz+λs , ordmax2 2λz+λs)

in the case ofhidden order groups.

Here we give other specific changes that need to be made to instantiate our protocols in generalhidden order groups. For IntCom, the verification equation becomes C = GxHr (without the ±).Then the argument of knowledge of opening of such a commitment would be secure under thestrong RSA and low order assumptions. The set commitments SetComRSA, SetComRSA′ remain thesame and are binding under the strong RSA assumption for Ggen (and collision resistance of Hprime

for the case of SetComRSA). For modEq, the same difference as for the AoK of an opening of anIntCom commitment is inherited. For Root and Coprime, the proposition 4.1 needs to be slightlymodified: A = B

xy can be without ±, and can be proven under the low order assumption instead.

Finally, in the proof of security of protocol Coprime, in lemma 5.1 the assumption λs < log(N)/2 isnot needed as long as the low order assumption holds (an adversary that can find H,∆c such thatgcd(ord(H), q`) = 1 can be used to break low order assumption).

Transparent instantiation and efficiency The above instantiation combined with a transparentproof system (for instance Bulletproofs) gives transparent CP-NIZKs for set (non)-membershipanalogously with the ones described for RSA groups in section 4, i.e. proof systems with a uniformlyrandom CRS. We ran some preliminary experiments for this instantiation over class groups of 2048-bit discriminant and using Bulletproofs. The results showed proving time of 3.3s, verification timeof 2.3 s and proof size of 5.3KB, for arbitrary accumulated elements(i.e. not necessarily primes).Furthermore, if we make use of the optimization described in section 7.4 it boosts the efficiency to1.66s, 1.33s and 4KB (prover/verifier and proof size resp.).

Unfortunately, very recent cryptanalytic results on class groups [DG20] showed that a discrim-inant of 2048 bits yields only about 60 bits of security level, while for 128 bits of security oneneeds to choose a 6600-bit discriminant for the class group. We estimate that over class groups ofa 6000-bit discriminant our aforementioned protocol, together with the optimization of section 7.4,will give proving time of ∼ 12s, verification time of ∼ 6.4s and proof size of 6.4KB. Finally, our es-timations for the respective protocol for prime elements (with the computational ZK optimization)are: ∼ 7s/∼ 6.2s/6KB (proving time/verification time/proof size resp.).

68

Documents

Zero-Knowledge Proofs for Set Membership: E cient, Succinct, … · 2020. 5. 6. · Zero-Knowledge Proofs for Set Membership: E cient, Succinct, Modular Daniel Benarroch1, Matteo